Full Report
A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan. [...]
Analysis Summary
# Tool/Technique: LucidRook
## Overview
LucidRook is a sophisticated, modular malware family that utilizes an embedded Lua execution environment. It serves as a stealthy execution platform, allowing threat actors to deploy and run second-stage payloads as Lua bytecode. This modularity allows the core malware to remain stable while operational capabilities are updated remotely, significantly hindering forensic reconstruction.
## Technical Details
- **Type:** Malware family (Lua-based modular loader/backdoor)
- **Platform:** Windows
- **Capabilities:** Lua bytecode execution, system reconnaissance, DLL sideloading, encrypted exfiltration, and extensive obfuscation.
- **First Seen:** October 2025
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.001 - Phishing: Spearphishing Attachment]
- **[TA0002 - Execution]**
- [T1059.006 - Command and Scripting Interpreter: Lua]
- [T1204.001 - User Execution: Malicious Link File]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1027 - Obfuscated Files or Information]
- [T1140 - Deinterlace/Decode Files or Information]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- [T1057 - Process Discovery]
- **[TA0010 - Exfiltration]**
- [T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Non-HTTP Protocol] (FTP)
## Functionality
### Core Capabilities
- **Lua Execution Environment:** Embeds a Lua interpreter to execute externally delivered Lua bytecode, providing a flexible and lightweight post-infection platform.
- **Stealthy Payload Delivery:** Fetches second-stage payloads that are often removed from C2 servers immediately after delivery to prevent post-incident analysis.
- **System Reconnaissance:** Automatically collects computer names, usernames, lists of installed applications, and active running processes.
- **DLL Sideloading:** Utilizes legitimate executables (e.g., renamed Microsoft Edge binaries) to load malicious DLLs (e.g., `DismCore.dll`).
### Advanced Features
- **Heavy Obfuscation:** Employs extensive obfuscation of internal strings, C2 addresses, file extensions, and internal identifiers.
- **Encrypted Exfiltration:** Collects data into password-protected archives and encrypts reconnaissance data using RSA before transmission.
- **Dynamic Updates:** Operators can update the malware's behavior without changing the core binary by simply pushing new Lua scripts.
## Indicators of Compromise
- **File Hashes (SHA256):** [Not explicitly provided in text, but associated with:]
- `LucidPawn` (Dropper)
- `DismCore.dll` (LucidRook Loader)
- `LucidKnight` (Reconnaissance tool)
- **File Names:**
- `DismCore.dll`
- Fake Microsoft Edge executables
- Fake Trend Micro "Worry-Free Business Security Services" executables
- Malicious `.LNK` shortcut files
- **Network Indicators:**
- FTP servers used for exfiltration (Specific IPs/Domains not listed in excerpt)
- C2 infrastructure for Lua bytecode delivery (Defanged)
- Gmail SMTP (Used by the related `LucidKnight` tool)
- **Behavioral Indicators:**
- Creation of password-protected archives in temporary directories.
- Process execution originating from unexpected locations (e.g., side-loading via renamed legitimate binaries).
- Use of Lua-related exports or strings within non-scripting binaries.
## Associated Threat Actors
- **UAT-10362:** A capable adversary characterized by mature tradecraft and a focus on NGOs and educational institutions in Taiwan.
## Detection Methods
- **Behavioral Detection:** Monitor for legitimate Windows binaries (like Edge or Trend Micro tools) loading unsigned or unexpected DLLs from non-standard paths.
- **Network Monitoring:** Alert on anomalous FTP traffic to unknown external IP addresses, especially when originating from standard workstations.
- **Memory Analysis:** Scanning for embedded Lua interpreters or Lua bytecode signatures within running processes.
- **Endpoint Detection:** Monitor for the creation of password-protected archives combined with system reconnaissance commands (`tasklist`, application inventory).
## Mitigation Strategies
- **Email Security:** Implement robust attachment filtering to block or inspect password-protected archives and `.LNK` files.
- **Endpoint Hardening:** Enable Attack Surface Reduction (ASR) rules to prevent the execution of scripts or shortcut files originating from email.
- **Application Whitelisting:** Use Windows Defender Application Control (WDAC) or AppLocker to prevent the execution of unauthorized or side-loaded DLLs.
- **User Education:** Train staff to recognize spear-phishing tactics, particularly those using decoy documents related to government or institutional communications.
## Related Tools/Techniques
- **LucidPawn:** The initial dropper used to deploy LucidRook via LNK-based chains.
- **LucidKnight:** A related reconnaissance tool utilized by the same threat actor, notable for using Gmail SMTP for data exfiltration.
- **DLL Sideloading:** A common technique used by various APT groups to bypass security software by hijacking the search order of legitimate applications.