Lu0bot Malware, an Intriguing Threat Built on Node.JS

Cybercriminals use different strategies to profit from the systems they compromise or from the data they manage to steal. Some of them use it to execute more elaborate attacks, while others try to cash out as soon as possible. The latter type of criminals often resell access to infected machines to the highest bidder. One of the most popular underground services for such purchases recently unleashed a new, previously unseen malware. It is important to note that the threat, dubbed Lu0bot Malware, might still be in development. Long sections of its code are commented out, rendering them useless, and other parts include long troubleshooting algorithms.

The exact purpose of the Lu0bot Malware is not clear yet – its flexible structure and functionality may allow it to fulfill various purposes. The initial payload is a very small file written in C, but it serves a peculiar purpose. The Lu0bot Malware installs a very old version of the Node.JS framework (from 2016.) Node.JS is a JavaScript framework, which introduces a rich library of enhanced features and functions. The criminals are relying on Node.JS scripts to execute malicious code on the systems they compromise, and this is why the installation of the framework is the first stage of the attack.

Lu0bot Malware Focuses on Data Collection for Now

Once active, the Lu0bot Malware's complex structure comes into play. The payload features a rich library of scripts meant to collect data about the infected machine. The information that the criminals go after includes:

• Running processes and services.
• Contents of folders like My Documents, Desktop, Program Files, and others.
• Network configuration.
• List of hardware and software.
• Attached peripherals.

The network channel, which the Lu0bot Malware uses is also random. Instead of relying on the typical HTTP connection, the payload may regularly switch between UDP and TCP. The encryption it uses to obfuscate its communication and contents also varies a lot. Some of the sections of Lu0bot Malware's code rely on the Blowfish algorithm, while others go with XOR, Diffie-Hellman, and AES-128-CBC. This makes the dissection and the analysis of the payload a challenging task.

Last but not least, Lu0bot Malware's is able to receive new code from its control server in real-time. This means that Lu0bot Malware functionality is virtually unlimited – the criminals can use their programming knowledge to implement pretty much any feature they would want to use. This modular structure makes Lu0bot Malware extra dangerous.

So far, the Lu0bot Malware's payloads have not been weaponized fully, but it is a matter of time before this happens. The criminals behind this project are clearly very knowledgeable and experienced, so their attacks could turn out to be quite the problem. Take the required measures to secure your network and system with the use of up-to-date antivirus software. In addition to this, apply the latest patches and updates to all software and hardware.