Facebook has successfully dismantled a major bitcoin botnet operated by a small team of cyber criminals based in Greece.
The Lecpetex botnet managed to infect 250,000 computers. At its peak it compromised as many as 50,000 Facebook accounts.
Lecpetex propagated through the social media platform using spam messages with malicious code inserted into zipped attachments.
Each zip archive contained an embedded Java file that would download and install a litecoin miner. It would also steal cookies and gain access to the victim’s friend list, using it to send out even more spam.
However, mining was not its only function. The botnet was also used to distribute more dangerous malware designed to steal banking details, passwords and bitcoins.
My big fat Greek botnet
Facebook detected the Lecpetex botnet months ago and it is believed that it first started spreading in December.
The social media giant says it tracked more than 20 distinct waves of spam sent out by the botnet between December 2013 and June 2014.
On 30th April, Facebook asked the Cybercrime Subdivision of the Greek Police for assistance. Greek investigators managed to catch up with the botnet’s authors on 3rd July and they were detained on the same day.
Greek police told Facebook that the perpetrators were in the process of establishing a ‘bitcoin mixing’ service that would enable them to launder the stolen bitcoins.
As Greek police started closing in on the operators, they left notes for them to find on compromised command and control servers.
One such message read:
“Hello people.. :) <!– Designed by the SkyNet Team –> but am not the f***ing zeus bot/skynet bot or whatever piece of sh*t.. no fraud here.. only a bit of mining. Stop breaking my ballz [sic].”
Facebook published its findings on the botnet in an extensive blog post.
No word on damage caused
Although Facebook says it learned a few lessons while it dismantled the botnet, there is still no official information on the damage Lecpetex caused.
“Our analysis revealed two distinct malware payloads delivered to infected machines: the DarkComet RAT, and several variations of litecoin mining software. Ultimately the botnet operators focused on litecoin mining to monetize their pool of infected systems,” the company said.
Although the number of affected PCs is relatively low compared to many other botnets, it’s likely that Lecpetex generated some litecoins, though the number is unknown. The ‘bitcoin mixing’ effort cited by Facebook also indicates that bitcoins were likely to have been stolen by the botnet.
According to Greek media reports, the operators of the botnet claimed they were using the data for “research purposes”, not monetary gain. The pair were released from custody earlier this week.