Lu0bot Malware

Lu0bot Malware Description

Despite being detected by the infosec community back in February 2021, a peculiar piece of malicious software has continued to remain an enigma with unknown capabilities. Named the Lu0bot Malware, the threat was observed in operation connected to the GCleaner (Garbage Cleaner) load seller. In essence, GCleaner acts as a sort of middle-man in the cybercrime landscape. It is one of the numerous entities that compromise devices, but, instead of escalating the attacks themselves, they offer the established access or misappropriated user credentials for sale to other hacker groups. The clients can then exploit the acquired access according to their ill-minded needs.

Multi-Layered Anti-Analysis Techniques

Many malware threats are equipped with countermeasures against analysis. However, the Lu0bot Malware appears to be on a whole another level. A researcher operating under the name Fumik0_ has attempted to shed some light on the inner workings of the threat by releasing a detailed report. 

Initially, the Lu0bot Malware arrives on the targeted device as an extremely small C/C++ payload with a single developed function - to execute a one-line JavaScript code via WinExec(). The final goal is to retrieve and initiate a NodeJS runtime. After establishing the Node.js server on the breached device, Lu0bot activates a complex JavaScript code that hides the main functionality of the threat through various means. For example, the threat is capable of switching between the UDP and TCP protocols randomly, as the chosen communication channel with the Command-and-Control server (C2, C&C). In addition, the threat utilizes a wide set of encryption algorithms to encrypt different sections of its codebase - XOR, AES-128-CBC, Diffie-Hellmann and Blowfish.

Dynamic Internal Structure

Arguably, the most impressive feature of Lu0bot is its ability to be adjusted by the threat actor dynamically. The threat can receive classes and variables in real-time from its C2 server. This dynamic structure prevents researchers from discerning the main functionality and thus the goals of the threat actor. What has been determined so far is that Lu0bot is extremely effective at gathering system details and information about the compromised systems. However, this behavior is shared between most of the modern malware threats and fails to provide any insight into the goals of the particular threat actor. In fact, the dynamic internal structure of the threat could prevent researchers from discerning the full capabilities of Lu0bot completely. The threat could possess functions from a wide range of malware threats - starting with a simple loader, to an infostealer, backdoor or potent remote access Trojan.