Through strategies like polymorphic code, which continuously alters its appearance to prevent detection, as well as employing encryption and obfuscation to disguise its actions, malware is getting more complex and sneaky.
Additionally, to infiltrate systems and avoid detection by traditional security measures, malware increasingly leverages social engineering and advanced delivery methods, like-
- Zero-day exploits
Recently, cybersecurity researchers at Any.Run has examined a Node.js-based Lu0Bot malware sample that completely takes over the victim’s computer system.
Researchers were intrigued by Node.js malware, initially thought to be a basic DDOS bot but revealed as more complex. Node.js targets a versatile runtime environment used in modern web apps.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Lu0bot emerged in February 2021 as a GCleaner second-stage payload, functioning as a bot that awaits commands from a C2 server and sends encrypted system data.
The bot’s activity is modest, with 5-8 new monthly samples on dark marketplaces.
As of now, only one new sample was uploaded in August, but there may be more dormant ones awaiting C2 commands, though this is speculative.
Despite limited activity, Lu0bot’s creative Node.js design sets it apart, with its capabilities bounded only by the language itself.
Due to the bot’s IP address issue, the security analysts were unable to find a live sample. However, a public sample connected, triggering:-
- A new domain
- Encrypted exchanges
Researchers quickly detected an SFX packer in the file, which acts as a self-extracting archive that is openable with any utility.
While besides this, the archive contains a BAT file and more:-
- Files eqnyiodbs.dat
- lknidtnqmg.dat file
- gyvdcniwvlu.dat file
The static analysis highlights the following things:-
- EXE file
This malware stands out in how it constructs its domain, assembling it from parts in the JS code.
The code begins with an encrypted string array which:-
- Undergoes manipulation
- Decrypts using BASE64
- URL encoding
- RC4 with two variables
Capabilities of Lu0Bot
Here below, we have mentioned all the capabilities of Lu0Bot malware:-
- Recording keystrokes
- Identity theft
- Gaining full control of the victim’s computer
- Functioning as a DDOS bot
- Using the compromised system for performing illegal activities
If Lu0bot’s campaign scales and the server becomes active, its distinctive use of NODE JS makes it an intriguing analysis subject with potential risks.