Today, much more malware builders are making use of unconventional programming languages to bypass innovative detection units. The Node.js malware Lu0Bot is a testomony to this pattern.
By targeting a system-agnostic runtime environment frequent in modern-day web applications and utilizing multi-layer obfuscation, Lu0Bot is a severe risk to companies and folks.
Although at this time, the malware has very low action, the attackers are most likely waiting around for the appropriate second to strike.
To be prepared for any future state of affairs, a group of analysts carried out an in-depth technological evaluation of a single of the modern samples of Lu0Bot and printed an report documenting their method.
Here is an overview of their exploration.
Static analysis of the Lu0Bot sample
The sample below investigation used an SFX packer, a self-extracting archive that can be opened with any archive utility. Its contents ended up explored individually.
The written content of the BAT file
The very first line in the file contained a remark that remained unclear and was not referenced later on.
Upcoming, the EXE file bundled multiple data files, together with a Node interpreter called fjlpexyjauf.exe.
Then, the interpreter been given a file with bytes and a selection (%1% in the screenshot) that possible served as the encryption key for the byte file.
2. eqnyiodbs.dat documents
The file was divided into byte blocks, which have been then merged to produce the Node interpreter.
Contents of eqnyiodbs information
3. lknidtnqmg.dat file
This file had encrypted bytes in Base64, which could be decrypted employing the presented enter selection.
Contents of the lknidtnqmg.dat file
4. gyvdcniwvlu.dat file
This driver permitted 32-bit programs on x64 methods to convert crucial scan codes into Unicode people, probable utilized for keylogging operation in the key method.
Dynamic malware investigation of Lu0Bot in ANY.Operate
The following step involved investigating the EXE file and lknidtnqmg.dat in the ANY.Run interactive malware sandbox to check their actions and both decrypt the bytes or track down them decrypted in the process memory.
The assessment exposed that, upon execution, the principal procedure started out a BAT file that introduced an EXE file. The code recognized encrypted JS input and gathered program info using WMIC, together with info about course of action execution area, which aligned with the T1047 MITRE approach.
The procedure tree throughout sample execution
It was identified that the interpreter was copied to the startup folder. The relationship to the area continued immediately after the procedure restarted, allowing the bot to continue being operational.
Additionally, the malware shown a special solution to area link by assembling numerous sections into a solitary entity inside the JS code.
Malware AnalysisUse a 14-day cost-free trial to analyze malware in the ANY.Run interactive sandbox.
Perform collectively with your group in a personal manner. Interact with information and back links in a focused VM to expose their malicious actions. Accumulate fresh new IOCs and configs in seconds.
Start a no cost demo
Complex analysis of Lu0Bot malware applying a disassembler and debugger
To access the most important JS code, the crew:
- Unpacked the SFX archive
- Ran a command to obtain the Node.js file
- Released fjlpexyjauf.exe in x32dbg, entering the incoming facts into the command line
- Obtained to the level where JS code execution started
- Positioned the code in memory and saved a dump
To see how the unpacking and dump extraction processes were being conducted, refer to the primary article. For this overview, let us emphasis on the code assessment.
Examining the JS code
Consequence of code transformation
The code began with an array of encrypted strings. Then, specific things ended up moved to the stop of the array through manipulation. Following that, a purpose was applied to decrypt the array strings utilizing an alternate sort of Foundation64 (T1132.002), followed by URL encode-decode, and finally, RC4.
This function was termed utilizing two variables:
1. An factor from the array.
2. The RC4 critical.
With the support of a particular script, the traces had been decrypted, revealing that portions of the domains have been tricky-coded into the sample.
Right after code deobfuscation
Next that, the section of the code responsible for assembling the area was learned.
To debug, the workforce made use of Node.js with its examine-brk parameter (node.exe –inspect-brk *obfuscate dump without having rubbish bytes*), putting a breakpoint on the “var” search phrase and observing the output created by each and every line.
It was located that the very first operate (ginf) gathered procedure info and made a 15-factor array with procedure specifics.
An array containing the output of the ginf function
The 2nd perform (hwco) employed the 15-element array from the ginf functionality as enter, which generated an output comprising the tail-end of the domain right until the dot. Further more assessment discovered that this output was a hash of the collected system knowledge.
String output from the hwco operate
The port, selection, and area phase soon after the dot were being extracted from the acc array and then assigned to variables.
Extracting things from the acc array
A random number was extra to the domain section after the dot. The up coming line selected an option area if certain circumstances have been fulfilled.
Select area immediately after the stage
Soon after many other operations, the area was entirely assembled, and all important factors had been packed into a JSON object.
Soon after executing, the malware searched for an tackle for knowledge transmission. Once the server gained the targeted visitors, it despatched JS code.
As part of their exertion, the staff managed to uncover a prosperity of intelligence and IOCs, as well as wrote YARA, Sigma, and Suricata guidelines. You can obtain it in the report.
All of the conclusions were incorporated into ANY.Operate, enabling the company to rapidly determine any Lu0Bot sample and reveal C2 domains following decrypting strings.
Lu0bot is an unconventional malware that brings together Node.js and executable JS code. It possesses a distinctive area framework and takes advantage of personalized encryption methods for strings.
Although it presently exhibits a reduced degree of exercise, Lu0bot can pose a sizeable risk if its campaign scales and the C2 server commences actively responding.
Safeguard your organization from this and other malware by utilizing ANY.Operate to swiftly review any suspicious information or links and get a conclusive verdict in seconds.
Uncovered this article appealing? Observe us on Twitter and LinkedIn to study extra unique content material we submit.
Some elements of this write-up are sourced from: