Monday, December 23, 2024
HomeCyber AttackLu0Bot Node.js Malware Takes Complete Control Over Victim's Computer

Lu0Bot Node.js Malware Takes Complete Control Over Victim’s Computer

Published on

SIEM as a Service

Through strategies like polymorphic code, which continuously alters its appearance to prevent detection, as well as employing encryption and obfuscation to disguise its actions, malware is getting more complex and sneaky.

Additionally, to infiltrate systems and avoid detection by traditional security measures, malware increasingly leverages social engineering and advanced delivery methods, like- 

  • Spear-phishing
  • Zero-day exploits

Recently, cybersecurity researchers at Any.Run has examined a Node.js-based Lu0Bot malware sample that completely takes over the victim’s computer system.

- Advertisement - SIEM as a Service

Researchers were intrigued by Node.js malware, initially thought to be a basic DDOS bot but revealed as more complex. Node.js targets a versatile runtime environment used in modern web apps.

Lu0Bot Malware

Since this malware utilizing JavaScript employs multi-layer obfuscation techniques, that’s why it poses a distinctive detection challenge.

Lu0bot emerged in February 2021 as a GCleaner second-stage payload, functioning as a bot that awaits commands from a C2 server and sends encrypted system data.

The bot’s activity is modest, with 5-8 new monthly samples on dark marketplaces. 

As of now, only one new sample was uploaded in August, but there may be more dormant ones awaiting C2 commands, though this is speculative.

Despite limited activity, Lu0bot’s creative Node.js design sets it apart, with its capabilities bounded only by the language itself.

Due to the bot’s IP address issue, the security analysts were unable to find a live sample. However, a public sample connected, triggering:-

  • JavaScript
  • A new domain
  • Encrypted exchanges

Researchers quickly detected an SFX packer in the file, which acts as a self-extracting archive that is openable with any utility.

SFX-packer (Source – Any.Run)

While besides this, the archive contains a BAT file and more:-

  • BAT-file
  • Files eqnyiodbs.dat 
  • lknidtnqmg.dat file 
  • gyvdcniwvlu.dat file

The static analysis highlights the following things:-

  • EXE file
  • lknidtnqmg.dat

This malware stands out in how it constructs its domain, assembling it from parts in the JS code.

dns request
DNS requests (Source – Any.Run)

Security researchers received a JavaScript code that’s deeply obfuscated and unreadable.

unreadable code
Unreadable code (Source – Any.Run)

Researchers confirmed code readability after removing excess bytes and applying a JavaScript deobfuscator, resulting in this transformation:

transformed code
Transformed code (Source – Any.Run)

The code begins with an encrypted string array which:-

  • Undergoes manipulation
  • Decrypts using BASE64
  • URL encoding
  • RC4 with two variables

Capabilities of Lu0Bot

Here below, we have mentioned all the capabilities of Lu0Bot malware:-

  • Recording keystrokes 
  • Identity theft 
  • Gaining full control of the victim’s computer 
  • Functioning as a DDOS bot 
  • Using the compromised system for performing illegal activities

If Lu0bot’s campaign scales and the server becomes active, its distinctive use of NODE JS makes it an intriguing analysis subject with potential risks.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...