Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Lu0Bot

110
Global rank
120 infographic chevron month
Month rank
114 infographic chevron week
Week rank
0
IOCs

Lu0Bot is a Node.js malware that was first discovered in February 2021. It is a type of Trojan that primarily acts as a stealer by responding to commands from a command-and-control (C2) server and transmitting encrypted system data. It can also operate as a DDoS bot. Lu0Bot employs multiple obfuscation techniques to avoid detection and make analysis more difficult.

Trojan
Type
Unknown
Origin
1 February, 2021
First seen
11 September, 2024
Last seen

How to analyze Lu0Bot with ANY.RUN

Type
Unknown
Origin
1 February, 2021
First seen
11 September, 2024
Last seen

IOCs

IP addresses
45.141.26.119
45.141.27.41
5.188.206.211
Domains
d9500682396017175017969210108a04a635094d7af3f018356690047bce5.aoa.aent78.sbs
e38ee82150cc00a8627814c6.bag.sack54.net
230927151335115.mxb.ewk48.shop
ps1-local.com
ewk48.shop
mxb.ewk48.shop
fast-difficult.monster
hri1.xyz
ioc39.shop
hri3.xyz
irj55.shop
hri10.xyz
xjl92.shop
dmz24.fun
juz09.cfd
olo57.shop
tes06.xyz
xlf07.shop
vij68.fun
9ad3a65b61891639132275091.qpi.nkn61.shop
Last Seen at
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 263
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1376
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1819
comments 0

What is Lu0Bot malware?

Lu0Bot is a trojan that was first observed in 2021. Although less widely used than other trojan malware, such as Agent Tesla, it has the potential to inflict serious damage on infected systems.

A notable feature of Lu0Bot is its use of Node.js, an unusual programming language choice for malware. However, this unconventional approach provides Lu0Bot with versatility compared to most malicious programs that are usually developed using the .NET framework, which is limited to Windows systems.

Despite being a highly capable threat, Lu0Bot has a relatively low level of activity. Currently, its primary function is data harvesting, but it can also be used as a DDoS attack bot and may have other capabilities.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the Lu0Bot malicious software

Once Lu0Bot is fully deployed on the system, it can engage in:

  • Keystroke recording: It can perform keylogging and record the keys that are pressed by the user, for instance, when they enter their login credentials.
  • Identity theft: It can steal the victim’s personal information, including credit card numbers and other sensitive data.
  • System control: Using Lu0Bot, attackers can execute a wide variety of activities, as the malicious software is capable of establishing near-full control over the device.
  • DDoS attacks: The malware can exploit the compromised system and use it to participate in a distributed denial-of-service (DDoS) attack.

Lu0Bot is highly obfuscated, meaning that its code is deliberately made difficult to read and understand in order to prevent or obstruct analysis. It uses several encryption algorithms, including custom ones.

By comparing Lu0Bot samples from 2021 and 2023, it becomes clear that the software is being continuously updated by its developers.

Read a detailed analysis of a Lu0Bot sample in our blog.

Execution process of Lu0Bot

In order to see how Lu0Bot operates and collect up-to-date IOCs, let’s examine one of its samples in the ANY.RUN sandbox.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

The execution chain of this malware family is relatively straightforward. After the payload executes, it uses CMD to copy and initiate the main malware process. This process is responsible for carrying out all malicious activities, including data theft, C&C server communication, and, in this case, gathering process information using WMIC.EXE.

Lu0botprocess tree shown in ANY.RUN Lu0Bot's process tree demonstrated in ANY.RUN

Distribution methods of the Lu0Bot malware

In the early days, Lu0Bot was primarily dropped by GCleaner, a specialized software for deploying second-stage payloads. Yet, today, the main method of delivery for this malware is phishing emails. Essentially, attackers employ various social engineering techniques in order to get their victims to download malicious email attachments or open unsafe links and trigger the infection chain reaction on their systems.

Conclusion

Despite being a known threat, the true scale of Lu0Bot's operations remains unknown. This makes it a dangerous malware capable of dealing a significant blow to any infrastructure, if not addressed proactively. Therefore, organizations must implement proper security measures to prepare for Lu0Bot attacks.

One of the most effective ways to prevent a Lu0Bot attack is to check any incoming files and links, especially those sent by unknown senders, in the ANY.RUN sandbox. It is a malware sandbox that lets you quickly understand if the file or link your are dealing with is malicious or not.

ANY.RUN is fully interactive, enabling you to engage with the infected system like you would on your own computer but in a safe cloud environment to fully understand the behavior of the malware. It also provides comprehensive reports that include IOCs and malware configs.

Try ANY.RUN for free – request a demo!.

HAVE A LOOK AT

Meduza Stealer screenshot
Meduza Stealer is an information-stealing malware primarily targeting Windows systems, designed to harvest sensitive data such as login credentials, browsing histories, cookies, cryptocurrency wallets, and password manager data. It has advanced anti-detection mechanisms, allowing it to evade many antivirus programs. The malware is distributed through various means, including phishing emails and malicious links. It’s marketed on underground forums and Telegram channels.
Read More
MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More