Lua‑Based Malware “LucidRook” Targets Taiwanese NGOs and Universities via Spear‑Phishing
What Happened – Cisco Talos identified a new Lua‑embedded malware family, LucidRook, delivered through spear‑phishing campaigns against Taiwanese non‑governmental organizations and universities. The dropper (LucidPawn) loads a Lua interpreter and Rust‑compiled libraries, then stages Lua bytecode payloads; a companion tool, LucidKnight, harvests system data via Gmail.
Why It Matters for TPRM –
- The threat leverages legitimate‑looking email and compromised FTP/OAST services, exposing supply‑chain and credential‑reuse risks for third‑party vendors.
- Region‑specific anti‑analysis checks mean the malware only activates in Traditional Chinese environments, making detection harder for global security teams.
- The modular design (Lua + Rust) suggests future extensions could target a broader set of assets, increasing long‑term exposure for partners handling Taiwanese data.
Who Is Affected – NGOs, research institutions, and universities in Taiwan; any third‑party service that provides email or file‑transfer infrastructure to these entities.
Recommended Actions –
- Review email security controls for spear‑phishing resilience (DMARC, SPF, DKIM, user training).
- Validate that any third‑party FTP or OAST services used by your organization are hardened and monitored for anomalous traffic.
- Deploy endpoint detection that can flag unknown DLLs embedding Lua interpreters or Rust libraries.
- Conduct threat‑hunt queries for LucidPawn/LucidRook IOCs (hashes, C2 domains, Gmail exfiltration patterns).
Technical Notes –
- Attack vector: Spear‑phishing with malicious LNK/EXE payloads disguised as antivirus software.
- Payload: DLL dropper containing a Lua interpreter and Rust‑compiled modules; staged Lua bytecode executed after anti‑analysis checks.
- C2: Compromised FTP servers and public OAST services; exfiltration via Gmail (LucidKnight).
- Anti‑analysis: Checks for Traditional Chinese locale, language settings, and regional system attributes.