LucidRook Malware Delivered by Fake Security Software in Taiwan
Key Takeaways A new, sophisticated malware, LucidRook, is actively targeting organizations in Taiwan. Attackers are using highly convincing fake security software and spearphishing tactics to deliver...
Key Takeaways
- A new, sophisticated malware, LucidRook, is actively targeting organizations in Taiwan.
- Attackers are using highly convincing fake security software and spearphishing tactics to deliver the malware.
- The campaign primarily targets Taiwanese non-governmental organizations (NGOs) and universities.
- LucidRook utilizes a Lua-based stager and a reconnaissance tool, LucidNight, indicating a deliberate, tiered attack strategy.
Sophisticated LucidRook Malware Targets Taiwanese Entities via Fake Security Software
A recently identified malware strain, dubbed LucidRook, is actively being deployed against organizations across Taiwan. Threat actors are employing advanced deception techniques, embedding this potent malware within what appears to be legitimate security software, according to a detailed analysis.
Table Of Content
The attackers have meticulously crafted their malicious payload to mimic well-known cybersecurity products. This includes forging application icons and names to enhance credibility and trick unsuspecting victims into executing the malware. The sophisticated nature of the campaign points to a highly organized and targeted operation.
Targeted Spearphishing Campaign
The campaign specifically targets Taiwanese non-governmental organizations and academic institutions, primarily universities. Attackers initiate the compromise chain through spearphishing emails containing shortened URLs. These URLs direct recipients to password-protected compressed archives, a common tactic to bypass email security filters.
Inside these archives, victims find highly credible decoy documents. One notable example is an official letter purportedly issued by the Taiwanese government to universities, a lure designed to significantly increase the perceived legitimacy of the malicious package.
All communication, including the spearphishing emails and the decoy materials, is written in Traditional Chinese. This linguistic specificity strongly suggests that the campaign is meticulously localized and deliberately aimed at a Taiwanese audience.
Cisco Talos Uncovers the Threat
Researchers at Cisco Talos were instrumental in uncovering this activity, identifying a cluster of attacks attributed to a threat group tracked as “UT.” The group’s spearphishing efforts against Taiwanese NGOs and universities were specifically designed to deliver LucidRook. This malware is distinguished by its Lua-based architecture and a multi-layered design, showcasing a high level of technical sophistication.
The investigation revealed LucidRook as a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a Windows DLL. This complex engineering allows for flexible and evasive execution on compromised systems.
Beyond LucidRook, researchers also identified a companion reconnaissance tool named LucidNight. The presence of LucidNight indicates a tiered toolkit, suggesting that threat actors likely use it to profile targets and gather intelligence before initiating a full-scale LucidRook deployment. Cisco Talos assesses with medium confidence that this activity represents a targeted intrusion rather than an opportunistic malware distribution.
Infection Mechanism and Persistence
The infection process begins when a victim opens a spearphishing email and downloads a password-protected archive. The dropper, named LucidPan, is disguised as a legitimate Trend Micro security product, complete with a forged icon and application name. LucidPan also drops decoy documents, such as the government-issued letter mentioned earlier, to distract the victim while the malicious payload executes silently in the background.
Once on the system, LucidPan exploits a legitimate Windows binary associated with the Deployment Image Servicing and Management (DISM) framework. It leverages DLL search order hijacking by dropping a malicious DLL, DismCore.dll (which is the LucidRook stager), into a hidden directory alongside the legitimate executable, index.exe. When the victim clicks the disguised LNK file, index.exe is triggered, subsequently loading the malicious DismCore.dll.
Persistence is achieved by placing an LNK file in the Windows Startup folder. This LNK file launches msedge.exe after the malicious binaries are dropped, impersonating Microsoft Edge to blend in with normal system operations. The stager itself is written to the %APPDATA% directory, with DismCore.dll also disguised within this location to avoid immediate detection.
Before establishing communication with its command-and-control (C2) infrastructure, LucidRook meticulously gathers system information. This includes the username, computer name, drive details, a list of running processes, and installed software. This collected data is then stored in three encrypted files—1.bin, 2.bin, and 3.bin—which are subsequently packaged into a password-protected archive using RSA keys.
The stager then communicates with compromised FTP servers, which belong to Taiwanese printing companies whose credentials were publicly accessible on their websites. It uploads the collected data and retrieves an encrypted Lua bytecode payload. To further complicate analysis, LucidRook employs a non-standard safe mode that disables dynamic library loading and utilizes a sophisticated string obfuscation scheme, employing a parallel lookup table to conceal embedded strings during runtime.
What You Should Do
- Enhance Email Security: Implement robust email filtering solutions to detect and block spearphishing attempts, especially those containing shortened URLs or password-protected archives.
- User Awareness Training: Conduct regular training for employees and students on identifying sophisticated phishing schemes, social engineering tactics, and the dangers of opening suspicious attachments or links.
- Monitor for Anomalous Activity: Continuously monitor for unusual DLL sideloading events and processes launched from the %APPDATA% directory, as these are indicators of compromise.
- Secure FTP Servers: Review and secure all FTP servers, ensuring that credentials are not publicly exposed and that strong authentication measures are in place.
- Deploy Detection Rules: Implement and regularly update Snort detection rules released by Cisco Talos for LucidRook, LucidPan, and related components to identify and block malicious network activity.
- Endpoint Detection and Response (EDR): Utilize EDR solutions to gain visibility into endpoint activities and detect suspicious behaviors that may indicate malware execution.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.