Executive Summary

Researchers from Cisco Talos have identified a new and sophisticated malware suite used in highly targeted attacks against organizations in Taiwan. The malware, dubbed LucidRook, is a stager that leverages an embedded Lua interpreter and Rust-based components to execute payloads fetched from a command-and-control (C2) server. The campaign, attributed to a threat cluster tracked as UAT-10362, has been observed targeting non-governmental organizations (NGOs) and is suspected of also targeting universities. The malware employs several advanced anti-analysis and evasion techniques, including a region-specific check that restricts its execution to systems using the Traditional Chinese language pack, strongly indicating a focus on Taiwanese victims. The operation also utilizes a reconnaissance tool named LucidKnight, suggesting a multi-stage attack methodology where targets are profiled before the main payload is deployed.

---

Threat Overview

The threat actor UAT-10362 is conducting a spear-phishing campaign to deliver the LucidRook malware. The campaign demonstrates a clear operational focus on entities within Taiwan. The infection chain is initiated through malicious attachments, such as archived LNK files disguised as PDFs or executables masquerading as antivirus software. The primary payload, LucidRook, is a DLL that acts as a stager. Its main purpose is to establish persistence and download subsequent Lua bytecode payloads from a C2 server for execution. This modular approach allows the attackers to flexibly deploy different capabilities depending on the target environment. The use of a companion reconnaissance tool, LucidKnight, for initial system information gathering points to a calculated and patient adversary that carefully selects its targets.

---

Technical Analysis

LucidRook is notable for its combination of technologies and evasion techniques:

• Infection Vectors: The malware is delivered via two main chains:
  1. A malicious LNK file within an archive, which leverages nested folders to evade detection and executes the malware.
  2. An executable disguised as legitimate software (e.g., antivirus).
• Stager Components: The core LucidRook DLL embeds a Lua 5.1 interpreter and Rust-compiled libraries. This combination is uncommon and can hinder analysis by security tools not equipped to inspect Lua bytecode.
• Dropper and Evasion: A dropper component, named LucidPawn, is responsible for initial execution. It performs a critical anti-analysis check by querying the system's language settings. The malware will only proceed if the language is Traditional Chinese (zh-TW), effectively geo-fencing its operations to Taiwan.
• Obfuscation: The malware uses complex arithmetic operations to dynamically calculate memory addresses for encrypted strings. The decryption keys are reconstructed at runtime, making static analysis and string extraction difficult.
• C2 Communication: The attackers abused a compromised FTP server and an Out-of-band Application Security Testing (OAST) service for their C2 infrastructure, complicating takedown efforts.

MITRE ATT&CK Techniques:

• T1589.002 - Email Addresses: Used for spear-phishing campaigns.
• T1204.002 - Malicious File: Delivery via malicious LNK and EXE files.
• T1027 - Obfuscated Files or Information: Use of encrypted strings and dynamic key reconstruction.
• T1497.003 - Time Based Evasion: The language check acts as a form of environmental keying to evade sandboxes.
• T1105 - Ingress Tool Transfer: Downloading staged Lua payloads from the C2 server.
• T1059.007 - Dynamic-link Library Injection: The core payload is a DLL.

---

Impact Assessment

The primary goal of this campaign appears to be espionage and intelligence gathering. By targeting NGOs and universities, the threat actor UAT-10362 likely seeks to obtain sensitive information related to political advocacy, research, or individuals associated with these organizations. A successful compromise could lead to:

• Data Exfiltration: Theft of confidential documents, research data, and personal information of staff and students.
• Long-Term Persistence: The stager architecture allows the attacker to maintain a foothold within the target network for extended periods, deploying new tools as needed.
• Surveillance: The malware could be used to monitor communications, capture keystrokes, and exfiltrate data over time.

The focus on a specific geographic region and victim profile suggests a state-nexus, although Talos has not made a formal attribution to a specific country.

---

Cyber Observables for Detection

Security teams can hunt for this activity using the following observables:

Type	Value	Description	Context	Confidence
process_name	rundll32.exe	The LucidPawn dropper is often executed via rundll32.exe.	Monitor for rundll32.exe processes spawning from suspicious parent processes like explorer.exe (from a clicked LNK) or email clients.	medium
api_endpoint	GetUserDefaultLangID	API call used by LucidPawn to check the system's language.	API monitoring or dynamic analysis can flag processes that call this function and then terminate if the language is not Traditional Chinese.	high
file_name	*.lua	The malware downloads and executes Lua script files.	Monitor for the creation or execution of .lua files in unusual locations, such as user temp directories.	medium
network_traffic_pattern	FTP	The C2 infrastructure was observed using a compromised FTP server.	Monitor for anomalous FTP traffic from endpoints to unknown or untrusted servers.	low
file_name	LucidRook.dll	The name of the primary malware component.	Search for this filename on endpoints, though attackers will likely rename it.	medium

---

Detection & Response

Detection:

1. Endpoint Detection and Response (EDR): Deploy EDR solutions capable of monitoring process execution chains. Look for suspicious rundll32.exe activity and monitor for API calls like GetUserDefaultLangID followed by network connections.
2. Script Block Logging: Enable PowerShell and other script block logging to identify the execution of suspicious commands originating from LNK files.
3. File Analysis: Use sandboxing and dynamic analysis (D3-DA - Dynamic Analysis) to inspect suspicious files. Configure sandbox environments with a Traditional Chinese language pack to trigger the malware's full execution path.

Response:

• Isolate any machine confirmed to be infected to prevent lateral movement.
• Block all network connections to the identified C2 domains and IP addresses.
• Conduct a full forensic analysis of the affected endpoint to identify all downloaded payloads and executed commands.
• Review email logs for other potential spear-phishing emails from the same campaign.

---

Mitigation

• User Training: M1017 - User Training: Train users to be suspicious of unsolicited emails with attachments, especially archives (.zip, .rar) containing LNK files or executables.
• Email Security: Deploy advanced email security gateways that can scan attachments for malicious content and block known malicious domains.
• Execution Prevention: M1038 - Execution Prevention: Configure application control policies to restrict the execution of unsigned or untrusted DLLs and executables from user-writable locations like AppData or Temp.
• Attack Surface Reduction: Configure Windows Attack Surface Reduction (ASR) rules to block executable content from email clients and to block Office applications from creating child processes.