Hackers are employing sophisticated tactics in Taiwan, disguising malicious software as legitimate security tools to infiltrate organizations. A newly identified malware, dubbed LucidRook, has surfaced, targeting Taiwanese non-governmental organizations and potentially universities. Attackers are using spearphishing emails containing links to password-protected archives that, upon opening, deploy the harmful LucidRook malware. The attackers meticulously crafted these phishing attempts, even including decoy documents such as an official government letter to academic institutions, to enhance the credibility of their malicious payload.
The campaign’s focus on Taiwanese organizations and the use of Traditional Chinese in all communications strongly suggest a deliberate and targeted effort. Cisco Talos researchers, who uncovered this activity, attribute it to a threat group known as UT. This group has been observed conducting spearphishing campaigns specifically aimed at delivering LucidRook, a malware notable for its advanced Lua-based architecture and layered design, which embeds a Lua interpreter alongside Rust-compiled libraries within a Windows DLL.
LucidRook Malware Delivery and Deception Tactics
The infection chain begins with a deceptive spearphishing email that prompts the recipient to download a password-protected archive. Within this archive lies a dropper, identified as LucidPan, which is engineered to impersonate a well-known cybersecurity product. Researchers noted that LucidPan uses a forged icon and application name, making it appear legitimate to unsuspecting victims. Further enhancing the deception, the archive also contains decoy documents, such as a government-issued letter intended for Taiwanese universities, to divert attention from the malicious background processes.
According to Cisco Talos, the threat actors have put significant effort into both the engineering of the malware and the deception involved in its delivery. In addition to LucidRook, a reconnaissance tool named LucidNight was also discovered. Its presence suggests that the attackers are employing a tiered toolkit, potentially using LucidNight to gather intelligence on targets before deploying the full LucidRook malware. This meticulous approach leads Cisco Talos to assess with medium confidence that these attacks represent targeted intrusions rather than opportunistic malware distribution.
Infection Mechanism and Persistence Strategies
Once LucidPan is executed on a compromised system, it leverages a legitimate Windows binary associated with the Deployment Image Servicing and Management (DISM) framework. This technique involves DLL search order hijacking. LucidPan places DismCore.dll, the LucidRook stager, into a hidden directory adjacent to the legitimate executable, index.exe. When a victim clicks on the disguised LNK file, index.exe is triggered, which then inadvertently loads the malicious DismCore.dll. This establishes persistence through an LNK file placed in the Windows Startup folder, designed to launch msedge.exe, thereby impersonating Microsoft Edge to blend in with normal system activity.
The malicious stager is written to the %APPDATA% directory, and DismCore.dll is disguised with a similarly innocuous name to avoid immediate suspicion. Before attempting to communicate with its command-and-control (C2) infrastructure, LucidRook meticulously gathers system information. This includes the username, computer name, drive details, active running processes, and a list of installed software. This collected data is then stored in three encrypted files, labeled 1.bin, 2.bin, and 3.bin, and packaged into a password-protected archive using RSA keys.
Communication with the C2 infrastructure involves the compromised FTP servers of Taiwanese printing companies. Researchers found that the attackers exploited publicly listed credentials for these FTP servers. The collected data is uploaded to these servers, and in return, an encrypted Lua bytecode payload is retrieved. To further evade detection and analysis, LucidRook employs a non-standard safe mode that disables dynamic library loading. It also utilizes a string obfuscation scheme involving a parallel lookup table to conceal embedded strings at runtime, making reverse engineering more challenging.
Threat Mitigation and Recommendations
Cisco Talos has made indicators of compromise (IoCs) publicly available on its GitHub repository to aid defenders in identifying and mitigating this threat. Organizations are strongly advised to implement robust email filtering systems to prevent spearphishing attempts from reaching end-users. Additionally, continuous monitoring for unusual DLL sideloading activity and processes launched from the %APPDATA% directory is crucial. Securing FTP servers is also paramount to prevent credential exposure that attackers can exploit.
The deployment of Snort detection rules released by Cisco Talos is recommended, as these rules are designed to cover LucidRook, LucidPan, and related components. Staying vigilant and updating security measures based on new intelligence will be key in defending against evolving threats like the LucidRook malware and the UT threat group’s operations in Taiwan. The ongoing nature of these targeted attacks underscores the importance of a proactive and layered security approach for organizations in the region.