Cybercriminals Deploy LucidRook Malware via Counterfeit Security Software in Taiwan
A sophisticated cyberattack campaign has been identified targeting organizations in Taiwan, where attackers are distributing a newly discovered malware named LucidRook. This malware is cleverly concealed within counterfeit security software, meticulously designed to mimic legitimate cybersecurity applications. The attackers have replicated the icons and application names of well-known security products to deceive users into executing the malicious software.
Targeted Entities and Attack Methodology
The primary targets of this campaign are non-governmental organizations and academic institutions in Taiwan. The attackers employ spear-phishing tactics, sending emails that contain shortened URLs leading to password-protected compressed archives. These archives include decoy documents, such as official letters from the Taiwanese government addressed to universities, enhancing the credibility of the attack. The use of Traditional Chinese in the emails and documents indicates a deliberate focus on Taiwanese entities.
Discovery and Analysis
Researchers from Cisco Talos uncovered this malicious activity after observing a series of attacks attributed to a threat group referred to as UT. This group has been conducting spear-phishing campaigns against Taiwanese NGOs and universities to deploy LucidRook. Notably, LucidRook is distinguished by its Lua-based architecture and multi-layered design.
The malware operates as a sophisticated stager, embedding a Lua interpreter alongside Rust-compiled libraries within a Windows DLL. This level of complexity suggests a well-resourced and technically proficient adversary. In addition to LucidRook, researchers identified a reconnaissance tool named LucidNight, indicating a tiered toolkit used by the attackers. LucidNight is likely employed to profile targets before deploying the full malware suite, reflecting a strategic and targeted approach rather than indiscriminate malware distribution.
Infection Mechanism and Persistence
The infection process begins with a spear-phishing email directing the recipient to download a password-protected archive. The dropper, dubbed LucidPan, masquerades as a Trend Micro security product, complete with a forged icon and application name. It also includes decoy documents, such as government-issued letters to Taiwanese universities, to distract the victim while the malicious payload executes in the background.
Once executed, LucidPan exploits a legitimate Windows binary associated with the Deployment Image Servicing and Management (DISM) framework. It leverages DLL search order hijacking by dropping a malicious DLL named DismCore.dll into a hidden directory alongside the legitimate executable index.exe. When the victim clicks the disguised LNK file, it triggers index.exe, which then loads the malicious DismCore.dll.
To establish persistence, the malware places an LNK file in the Windows Startup folder, which launches msedge.exe (impersonating Microsoft Edge) after the binaries are dropped. The stager is written to the %APPDATA% directory, and DismCore.dll is disguised under that name to avoid raising immediate suspicion.
Data Collection and Exfiltration
Before communicating with its command-and-control (C2) infrastructure, LucidRook collects various system information, including the username, computer name, drive details, running processes, and installed software. This data is stored in three encrypted files—1.bin, 2.bin, and 3.bin—and packaged into a password-protected archive using RSA keys. This method ensures that the collected information is securely transmitted to the attackers, minimizing the risk of detection during exfiltration.
Implications and Recommendations
The deployment of LucidRook via counterfeit security software underscores the evolving tactics of cybercriminals, who are increasingly using sophisticated social engineering techniques to infiltrate targeted organizations. The use of legitimate-looking security software as a delivery mechanism for malware highlights the need for heightened vigilance among users and organizations.
To mitigate the risk of such attacks, it is recommended that organizations:
1. Verify Software Sources: Always download software from official and reputable sources. Be cautious of unsolicited emails or messages prompting software downloads.
2. Educate Employees: Conduct regular training sessions to raise awareness about phishing tactics and the importance of scrutinizing email content and attachments.
3. Implement Multi-Layered Security: Utilize a combination of security measures, including endpoint protection, network monitoring, and intrusion detection systems, to identify and respond to threats promptly.
4. Regularly Update Systems: Ensure that all software and operating systems are up to date with the latest security patches to reduce vulnerabilities.
5. Monitor for Anomalies: Establish protocols to detect unusual activities within the network, such as unexpected data transfers or the execution of unfamiliar applications.
By adopting these practices, organizations can enhance their resilience against sophisticated cyber threats like LucidRook and protect their sensitive information from unauthorized access.
