Cisco Talos has uncovered LucidRook, a new Lua-based modular malware attributed to threat group UAT-10362, targeting NGOs and universities in Taiwan via spear-phishing campaigns. The malware uses two infection chains — one LNK-based and one EXE-based — with the EXE chain impersonating Trend Micro antivirus software. LucidRook's key feature is its embedded Lua interpreter, which lets operators deliver and update second-stage payloads as Lua bytecode without modifying the core binary, improving stealth and operational flexibility. It performs system reconnaissance, encrypts collected data with RSA, and exfiltrates it via FTP. A related tool, LucidKnight, abuses Gmail GMTP for data exfiltration. The full post-infection payload remains unknown as researchers could not capture a decryptable Lua bytecode sample.
Table of contents
Related Articles:Sort: