Mysterious Node.js malware puzzles security researchers

Almost four months after it was first spotted in the wild, the infosec community is still scratching its head in regards to the purpose of a new malware strain named Lu0bot.

A recent deep-dive into the malware's internals, authored by a security researcher named Fumik0_, has shed some light on its clever inner-workings but has not yet unearthed Lu0bot's primary functionality.

  • The malware was first spotted in February 2021, being installed as a second-stage payload via GCleaner, a shady software maker that has been seen renting access to users' devices to malware groups.
  • Lu0bot starts out as a tiny C/C++ piece of code, but it downloads and installs the Node.js server on infected systems and then uses a complex set of multi-layered JavaScript code to hide its purpose and functionality and confuse reverse engineers.
  • Some of its technical quirks include randomly switching from UDP to TCP and vice versa as its command and control communications channel.
  • Another technical quirk is the usage of multiple and very different encryption algorithms across its codebase, such as XOR, AES-128-CBC, Diffie-Hellman, and Blowfish.
  • The malware can also receive classes and variables in real-time from its C&C server, a feature that has helped it hide its full capabilities.
  • The only functionality observed in the code is that Lu0bot is very good at harvesting data and information about the infected systems, but this type of behavior is usually present in most malware strains these days.
  • Fumik0_, the security researcher behind the first Lu0bot analysis, said the malware's dynamic internal structure means that Lu0bot could be anything from a backdoor to a remote access trojan, or from a simple loader to an infostealer and that a final conclusion on what Lu0bot was designed to do is still not possible.

Currently, it seems that lu0bot is pushed by the well-known load seller Garbage Cleaner on EU/US Zones irregularly with an average of possible 600-1000 new bots (each wave), depending on the operator(s) and days. 


Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

No previous article
No new articles