Lua‑Based ‘LucidRook’ Malware Targets NGOs and Universities in Taiwan
What Happened – A new Lua‑enabled malware family named LucidRook was observed in spear‑phishing campaigns against non‑governmental organizations and higher‑education institutions in Taiwan. The attacks use password‑protected archives and either a malicious LNK shortcut or a fake Trend Micro antivirus executable to drop a loader (LucidPawn) that sideloads the main payload.
Why It Matters for TPRM –
- Threat actors can exfiltrate sensitive research, donor, or student data via encrypted FTP uploads.
- The modular Lua architecture allows rapid updates, making signature‑based defenses less effective.
- NGOs and universities often rely on third‑party SaaS platforms; compromised credentials could cascade to partner ecosystems.
Who Is Affected – Education & research institutions, non‑profit NGOs, and any third‑party service providers that host or process their data.
Recommended Actions –
- Review phishing‑resilience controls for all vendors handling NGO/university data.
- Verify that email gateways block password‑protected archives and inspect LNK files.
- Ensure endpoint detection platforms can detect Lua‑based loaders and encrypted outbound FTP traffic.
Technical Notes –
- Attack vector: Spear‑phishing with password‑protected ZIP/RAR archives; delivery via LNK shortcut or fake antivirus EXE.
- Malware chain: LNK → LucidPawn (loader) → renamed Edge executable + malicious DismCore.dll → LucidRook (Lua stage).
- Data exfiltration: RSA‑encrypted payloads stored in password‑protected archives, exfiltrated via FTP; secondary tool “LucidKnight” abuses Gmail GMTP.
- Obfuscation: Heavy string and identifier encryption, dynamic C2 address resolution.
Source: BleepingComputer