A new malware called LucidRook has recently been identified and is being used in targeted cyberattacks. These attacks are mainly focused on NGOs and universities, especially in Taiwan. Unlike random attacks, this campaign is highly planned and selective. Security researchers have linked it to a threat group known as UAT-10362. This group is believed to be skilled and capable of carrying out advanced cyber operations.
The attackers are using spear-phishing emails as the main method to deliver the malware. These emails are carefully crafted to look genuine and trustworthy. They usually contain links that lead to downloading password-protected compressed files. The content is often written in Traditional Chinese to match the targeted region. This makes the attack more convincing and increases the chances of success. It clearly shows that the campaign is not random but highly targeted.
Once the victim downloads and opens the file, they are shown decoy documents. These documents appear legitimate and often look like official government letters. This creates a sense of trust and reduces suspicion in the user’s mind. While the victim is focused on the document, malicious activities start in the background. This distraction technique helps the attackers carry out the infection silently. By the time the user realizes, the system is already compromised.
The infection process used in this campaign involves multiple steps and techniques. In one method, attackers use shortcut files that appear to be PDF documents. In another method, they use fake software that looks like a real antivirus program. Both approaches are designed to trick the user into running malicious files. These files then install a dropper malware called LucidPawn. This dropper is responsible for delivering the main malware, LucidRook.
LucidRook itself is a highly advanced malware with a flexible design. It works as a stager, meaning it prepares the system for further attacks. The malware includes a built-in Lua interpreter and uses Rust-based components. This allows it to download and run additional malicious payloads when needed. Because of this, the malware can adapt based on the situation. It also makes detection and analysis more difficult for security tools.
After getting installed, LucidRook starts collecting important system information. This includes details like user data, installed programs, and running processes. The collected information is then encrypted before being sent to attacker-controlled servers. In some cases, it communicates using compromised FTP servers or similar infrastructure. This helps attackers maintain control over the infected system. It also allows them to continue monitoring without being detected easily.
Researchers have also identified another tool linked to this campaign called LucidKnight. This tool is believed to be used before the main malware is deployed. It helps attackers gather basic information about the target system. The collected data can even be sent using services like email. This allows attackers to study their target before launching the main attack. It shows that the entire operation is carefully planned in multiple stages.
Overall, the LucidRook campaign highlights how cyberattacks are becoming more advanced and targeted. The use of phishing emails, fake software, and multi-stage infection methods shows a high level of sophistication. This is not a random attack but a focused effort on specific organizations. It creates serious risks for sensitive data and systems. This situation clearly shows the importance of awareness and strong cybersecurity practices.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
