New Lua-based malware “LucidRook” observed in targeted attacks against Taiwanese organizations

Key Points:

• A new Lua-based malware, “LucidRook,” has been observed in targeted spear-phishing attacks against Taiwanese NGOs and universities, delivered via malicious LNK and EXE files.
• The malware utilizes a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries, allowing it to download and execute payloads while employing anti-analysis techniques. It targets systems in Traditional Chinese environments, indicating a focused attack.
• Security teams are advised to enhance email filtering, monitor for suspicious LNK and EXE files, and implement network controls to detect unusual FTP traffic associated with the malware's command-and-control infrastructure.

Technical Details: LucidRook is delivered through spear-phishing emails containing password-protected archives. It employs DLL search order hijacking to sideload its components and uses compromised FTP servers for C2 communication.

MITRE ATT&CK Techniques:

• T1566 - Phishing (Initial Access)
• T1203 - User Execution (Execution)
• T1071.001 - Application Layer Protocol: FTP (Command and Control)
• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1547.001 - Boot or Logon Autostart Execution: Startup Folder (Persistence)

IOCs Mentioned:

• 1.34.253[.]131 (abused FTP server)
• 59.124.71[.]242 (abused FTP server)
• D.2fcc7078.digimg[.]store (DNS beaconing domain)
• fexopuboriw972@gmail.com
• crimsonanabel@powerscrews.com
• Various file hashes related to LucidRook components and dropper files.

This summary provides actionable intelligence for security analysts to mitigate risks associated with the LucidRook malware campaign targeting Taiwanese organizations.