Installation
We have seen variants of Win32/Lecpetex downloaded or injected into clean system processes by the following threats:
Once installed, Lecpetex has components that are capable of sending messages through Facebook. Lecpetex sends a message to the infected user's Facebook contacts. The message contains malicious URLs that download files detected as Trojan:Win32/Lecpetex.A.
Lecpetex also has a component used to inject another component into clean system processes such as Internet Explorer. This is detected as TrojanDropper:Win32/Lecpetex.A.
Some variants create a copy of themselves as an alternate data stream in %TEMP%\rnd.dat.
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: svchost = "regsvr32 /s"
With data: "%TEMP%\<random>.dat."
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "svchost"
With data: "regsvr32 /s %TEMP%\random>.dat"
Payload
Connects to a command and control center
Once installed, Trojan:Win32/Lecpetex.A connects to a website or email account to receive instructions from a command and control center. We have seen it log in to email accounts on the following mail servers:
- mailcatch.com/en/temporary-inbox
- mailnesia.com/mailbox
- spamavert.com/mail/
- tempinbox.com/cgi-bin/checkmail.pl
- www.dispostable.com/inbox/
- www.koszmail.pl/koszmail/mailBox.php?mailBox=
It uses different signatures to get the encrypted bot command to execute. If it belongs to a bot owner it requires the string <!-- Designed by the SkyNet Team --> as an initial identifier check.
We have seen it receive the commands to:
- Update itself
- Download files, including other malware
- Inject components into other processes
- Download a component that sends messages with malicious links on Facebook
Injects code into Windows Explorer
The trojan runs explorer.exe and injects component files into it so that it runs in stealth mode.
Collects system information
We have seen this threat collect the following system information:
- Disk volume serial number
- File system name and type
- OS version
- PC name
The collected information is sent to the following IP address:
Trojan:Win32/Lecpetex.A performs the payloads listed above every 15 minutes. It stops performing these behaviors after 20,000 times.
Installs Litecoin miner and password stealer
We have seen this trojan install a Litecoin miner and password stealer.
Sends instant messages through Facebook
Lecpetex has components capable of sending messages to the Facebook friends of an infected user. These message is made up of four parts, one from each of the columns in the table below:
| Part 1 |
Part 2 |
Part 3 |
Part 4 |
| Just noticed that |
someone's been sharing your |
personal information |
Seriously.. |
| Seems like |
there's someone using your |
contact details |
See for yourself |
| I guess |
somebody published your |
timeline |
:/ |
| I'm afraid |
someone else uses your |
profile photos |
Have a look |
The messages contains a ZIP file containing Lecpetex components used to spread more of its copy.
Sends spam email
TrojanDownloader:VBS/Lecpetex.A sends spam emails to addresses found in the Outlook address book of the infected system.
We have seen this spam email use the following format:
Subject: RE: Documents
Body: Here re the required documents you asked for.
Documents.zip
Keep me posted for any complaints or anything.
Thank you.
In the above example, Documents.zip is hyperlinked to a URL that downloads Lecpetex variants.
Downloads and runs other malware
TrojanDownloader:VBS/Lecpetex.A downloads Lecpetex components in multiple hard-coded Dropbox share links.
Additional information
The name Lecpetex is based on the mutex name the threat creates. The following string format used to generate the mutex was found in the code:
Trojan:Win32/Lecpetex.A checks to test if the system it is running in is being monitored for security analysis or being debugged.
It also checks if it is running in a sandbox environment by checking the user name logged into the system. It does this by comparing the logged-in user with any of the following:
- ANUBIS
- MALWR
- SANDBOX
- VIRUS
It also inspects the filename and path used when it runs to check if it matches any of the following:
- ANUBIS
- MALWR
- SANDBOX
- \SAMPLE
- \VIRUS
The trojan checks for the following security analysis systems and tools:
- Sandbox files:
sbiedll.dll
%system%\drivers\VBoxMouse.sys
%system%\drivers\vmmouse.sys
%system%\drivers\vmhgfs.sys
- Export name wine_get_unix_file_name in kernel32.dll
- Value of registry entry HKCU\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id\Identifier if it is:
VBOX
VMWARE
QEMU
- Value of registry entry HKCU\HARDWARE\Description\System\SystemBiosVersion if it is:
VBOX
QEMU
- Registry keys:
HKCU\SOFTWARE\Oracle\VirtualBox Guest Additions
HKCU\SOFTWARE\VMware, Inc.\VMware Tools
Analysis by Zarestel Ferrer
