LucidRook Malware Targets NGOs and Universities in Taiwan via Spear-Phishing

Executive Summary

A previously undocumented malware family, dubbed LucidRook, is being used in targeted spear-phishing campaigns against non-governmental organizations (NGOs) and universities in Taiwan. The malware, written in the Lua scripting language, is delivered via malicious email attachments and is designed to establish long-term persistence on compromised systems to facilitate data theft. The threat actor's identity and motivations remain unclear, but the selective targeting suggests an intent for espionage or information gathering.

Technical Analysis

LucidRook is a modular, Lua-based implant. According to analysis, the initial infection vector is a spear-phishing email containing a malicious Microsoft Word document. When opened, this document likely exploits a known vulnerability or uses social engineering to execute a malicious script, ultimately deploying the Lua payload. The malware's core component is a Lua script that acts as a loader and communication module.

Once executed, LucidRook establishes persistence by creating a scheduled task or a startup registry entry. It then communicates with a command-and-control (C2) server using HTTP POST requests. The C2 infrastructure is configured to mimic legitimate cloud storage services, potentially to evade network-based detection. The malware supports a range of commands from its operators, including the ability to download and execute additional Lua-based modules, upload files from the victim's system, and perform basic reconnaissance. The use of Lua, a less common language for malware, may be a deliberate attempt to bypass static detection signatures that typically focus on binaries written in languages like C or C++.

Tactics, Techniques & Procedures

The threat actor employs a consistent set of tactics aligned with targeted intrusion campaigns. Initial Access is achieved through Spear-phishing Attachment (T1566.001), with emails containing weaponized Word documents. For Execution, they likely rely on User Execution (T1204) to open the document, which then triggers script execution. Persistence is established via Scheduled Task/Job (T1053.005) or Registry Run Keys / Startup Folder (T1547.001). Command and Control is conducted over Application Layer Protocol: Web Protocols (T1071.001), with traffic designed to blend in with normal web traffic to services like Google Drive. The primary objective appears to be Data Exfiltration (TA0010), with the malware capable of collecting and uploading files from the compromised host.

Threat Actor Context

The identity and origin of the threat actor behind LucidRook are currently unknown. Public reporting does not attribute the activity to a known advanced persistent threat (APT) group. The targeting of NGOs and academic institutions in Taiwan suggests a possible geopolitical or intelligence-gathering motive, but this remains speculative. The operational security measures, such as the use of a less common programming language and camouflaged C2 traffic, indicate a moderately sophisticated actor capable of developing custom tooling for specific campaigns.

Mitigations & Recommendations

Organizations, particularly those in the NGO and education sectors, should implement defensive measures tailored to the identified TTPs. Key recommendations include:

• User Training: Conduct regular security awareness training focused on identifying spear-phishing attempts, especially suspicious email attachments.
• Email Filtering: Deploy advanced email security solutions capable of analyzing attachments for malicious scripts and blocking suspicious URLs.
• Endpoint Detection: Utilize endpoint detection and response (EDR) tools configured to detect anomalous process creation, particularly the execution of scripting engines like Lua associated with Office documents.
• Network Monitoring: Monitor outbound HTTP/HTTPS traffic for anomalies, such as connections to newly registered domains or patterns inconsistent with normal user activity to cloud services.
• Application Control: Consider implementing application allowlisting policies to restrict the execution of unauthorized scripts and binaries.
• Incident Response: Ensure incident response plans are updated to handle intrusions involving scripting-based malware and have the capability to analyze non-binary payloads.