CarderPlanet
Professional
A unique mix of Nodes.js and JavaScript attracted the attention of specialists.
Modern malware developers actively use non-standard programming languages to circumvent complex detection systems. An example of this trend is malware on Node.js called Lu0Bot.
Lu0Bot poses a threat to organizations and individuals by targeting the universal runtime environment common in modern web applications and using multi-level obfuscation. Despite the current low Lu0Bot activity, attackers are probably just waiting for the right moment to launch a devastating attack.
A team of analysts from ANY. RUN conducted an in-depth technical analysis of one of the latest Lu0Bot samples. The study revealed the following:
As part of the efforts of specialists, many indicators of compromise were identified, and the YARA, Sigma and Suricata rules were written. All results have been integrated into ANY. RUN, so now the platform can easily recognize any Lu0Bot sample.
As a result, we can say that Lu0Bot is an unusual malware that combines Node.js and executable JavaScript code. It has a unique domain structure and uses its own encryption methods for strings. Although its activity is currently low, Lu0Bot may pose a significant risk in the future.
Modern malware developers actively use non-standard programming languages to circumvent complex detection systems. An example of this trend is malware on Node.js called Lu0Bot.
Lu0Bot poses a threat to organizations and individuals by targeting the universal runtime environment common in modern web applications and using multi-level obfuscation. Despite the current low Lu0Bot activity, attackers are probably just waiting for the right moment to launch a devastating attack.
A team of analysts from ANY. RUN conducted an in-depth technical analysis of one of the latest Lu0Bot samples. The study revealed the following:
- Static analysis showed that the Lu0Bot sample used an SFX packer. The contents of the archive included a BAT file, which in turn contained an executable file, including the Node interpreter.
- Dynamic analysis in the sandbox revealed that when executed, the main process launched a BAT file, which then launched an executable EXE file. The code accepted encrypted JavaScript input and collected system data using WMIC, including information about the process execution location, which corresponded to the T1047 MITRE technology.
- Technical analysis using a disassembler and debugger allowed us to deobfuscate the main JavaScript code and analyze it in detail. It was discovered that the malware collected system information and created an array of 15 elements with system details. After several other operations, all the necessary elements were packed into a JSON object and sent to the attackers server.
As part of the efforts of specialists, many indicators of compromise were identified, and the YARA, Sigma and Suricata rules were written. All results have been integrated into ANY. RUN, so now the platform can easily recognize any Lu0Bot sample.
As a result, we can say that Lu0Bot is an unusual malware that combines Node.js and executable JavaScript code. It has a unique domain structure and uses its own encryption methods for strings. Although its activity is currently low, Lu0Bot may pose a significant risk in the future.
