Taiwan Targeted by New Lua Malware 'LucidRook'

Cyber Threat Intelligence is flagging new activity targeting Taiwanese organizations, specifically non-governmental organizations (NGOs) and suspected universities. According to their reporting, a threat cluster, tracked as UAT-10362, has been observed conducting spear-phishing campaigns to deliver a novel malware family dubbed ‘LucidRook.’ This sophisticated stager is built around a Lua interpreter and Rust-compiled libraries, designed to download and execute further Lua bytecode payloads. The initial dropper, named ‘LucidPawn,’ employs region-specific anti-analysis techniques, notably executing only within Traditional Chinese language environments, strongly suggesting a focus on Taiwan.

Cyber Threat Intelligence detailed two primary infection chains leveraged by the attackers, both involving malicious LNK and EXE files masquerading as legitimate antivirus software. The threat actors demonstrated mature operational tradecraft by abusing an Out-of-band Application Security Testing (OAST) service and compromised FTP servers for their command-and-control (C2) infrastructure. This approach, along with the malware’s modular design, layered anti-analysis features, and stealthy payload handling, points to a capable and well-resourced adversary.

Further investigation by Cyber Threat Intelligence uncovered a companion reconnaissance tool, ‘LucidKnight,’ which exfiltrates system information using Gmail. The co-existence of LucidKnight and LucidRook suggests a tiered toolkit, potentially used for initial target profiling before deploying the more advanced stager. This combination of tools and tactics underscores the need for heightened vigilance against targeted attacks originating from sophisticated threat actors.