This month we added Win32/Lecpetex to the Microsoft Malicious Software Removal Tool (MSRT).
The addition will assist with the detection and clean-up of this family following the recent Facebook take-down of the Lecpetex botnet. The graph below shows the number of unique machine encounters we have seen since February this year.
The primary Lecpetex payload is a Litecoin miner that is installed to the infected system. A malicious hacker can then use the compromised PC to generate Litecoins.
We have seen Lecpetex being distributed through spam emails, exploit kits, and malware downloaders, such as TrojanDownloader:VBS/Lecpetex.A. It usually employs a scare campaign to trick users into clicking on URLs containing the malware’s components. This social engineering technique is not new, but the prevalence of Lecpetex in recent months proves that it is still very effective.
For example, the spam emails usually use the following format:
Subject: RE: Documents
Body: Here re the required documents you asked for.
Keep me posted for any complaints or anything.
In this example Documents.zip is hyperlinked to a URL that downloads the malware.
Lecpetex can also spread by sending Facebook messages to the friends of infected users. Figure 1 shows some of the instant message templates seen from the malware code. Lecpetex sends these messages to the infected user’s buddy list, or uses the Facebook Graph Search to find potential targets.
It is interesting how Lecpetex constructs these messages to catch the attention of its recipients and encourage them to respond urgently by clicking on a ZIP file. The message is composed of four parts:
Figure 1: The spam Facebook messages sent by Lecpetex are assembled from four separate components
The malware is attached to the message as a ZIP file. More recent messages sent by Lecpetex also include “Hahaha” and “lol”.
If you have received or clicked on a message similar to that shown above, you should run a full scan of scan your PC using an up-to-date real-time security product, such as Microsoft Security Essentials.
You can also read more about this malware in the Win32/Lecpetex family description.