One piece of malware has been particularly hard to pin down for security researchers. Almost four months after it was first spotted in the wild, it is still unclear what is main purpose of it.
The mysterious and highly sophisticated piece of malware is called Lu0bot and has been first analyzed by a security researcher who goes by the name Fumik0_. The recently published analysis sheds some light on Lu0bot’s inner workings, but not on its primary functionality.
Fumik0_, a security researcher, has discovered the first known example in February 2021, as it was initially installed as a second-stage payload by GCleaner, a cleaner software. It is known that the developer of this application has been renting access to users’ devices to malware groups.
Lu0bot has multiple modules, the first one is written in C/C++ and downloads and installs the Node.js server on infected systems. It uses a complex set of JavaScript code to hide its intended purpose and functionality.
Some of its technical quirks include having a command and control communications channel randomly switch between using UDP and TCP.
Another technical quirk is that its codebase uses several encryption algorithms, such as XOR, AES-128-CBC, Diffie-Hellman, and Blowfish.
The feature that helps it evade reverse engineering is the ability to collect classes and variables from its C&C server in real-time.
The only functionality that was observed in the code was that Lu0bot can collect data and information about an infected system.
Fumik0_ said that Lu0bot’s dynamic internal structure makes it hard to pinpoint its intended function, and that it could be anything from a backdoor to a remote access trojan.
“Currently, it seems that lu0bot is pushed by the well-known load seller Garbage Cleaner on EU/US Zones irregularly with an average of possible 600-1000 new bots (each wave), depending on the operator(s) and days,” Fumik0_ says.