Intelligence Center

Key Takeaways

• UAT-10362 is targeting Taiwanese NGOs and universities using a new Lua-based malware family called LucidRook.
• The attack chain utilizes DLL sideloading via a legitimate Windows DISM binary (index.exe) to execute the LucidPawn dropper.
• LucidRook embeds a Lua interpreter and Rust-compiled libraries to execute staged Lua bytecode payloads downloaded from compromised FTP servers.
• The malware employs geo-targeting anti-analysis checks, executing only in Traditional Chinese language environments (zh-TW/zh-HK).
• A companion reconnaissance tool, LucidKnight, exfiltrates system information via Gmail using the Rust lettre crate.

Affected Systems

• Windows

Attack Chain

The attack begins with spear-phishing emails delivering malicious LNK or EXE files within password-protected archives. Upon execution, a dropper (LucidPawn) uses DLL sideloading via a legitimate Windows DISM binary (index.exe) to load the LucidRook stager (DismCore.dll). LucidRook performs geo-targeting checks, collects system information, and exfiltrates it to compromised FTP servers. Finally, it downloads and executes a staged Lua bytecode payload from the FTP server using an embedded Lua interpreter.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Snort, ClamAV

Cisco Talos provides ClamAV signatures and Snort 2/3 rules to detect and block LucidRook network activity and file components.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should easily detect the creation of suspicious LNK files in the Startup folder, the dropping of binaries into %APPDATA% or C:\ProgramData, and the sideloading of DismCore.dll by index.exe or msedge.exe. Network Visibility: Medium — While FTP is used in plaintext (allowing for inspection of STOR/RETR commands and archive transfers), the use of legitimate public OAST services (dnslog.ink) and Gmail for exfiltration blends in with normal traffic. Detection Difficulty: Moderate — The heavy use of string obfuscation, embedded Lua interpreters, and geo-fencing makes static analysis difficult, but the behavioral footprint (DLL sideloading, plaintext FTP, Startup folder persistence) provides solid detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Event ID 11)
• Network Connections (Event ID 3)
• DNS Queries (Event ID 22)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for execution of the legitimate DISM binary (index.exe) from unexpected directories like hidden folders or %APPDATA%.	Process Creation	Execution	Low
Search for LNK files created in the Windows Startup folder that point to binaries named msedge.exe located outside of the standard Program Files directory.	File Creation	Persistence	Low
Identify plaintext FTP connections (port 21) uploading or downloading files named archive1.zip or archive4.zip.	Network Traffic	Command and Control	Medium
Monitor for DNS queries to known OAST domains like digimg.store or dnslog.ink originating from standard user endpoints.	DNS Queries	Execution	Medium

Control Gaps

• Lack of strict application control allowing execution from %APPDATA% and C:\ProgramData
• Permissive outbound FTP rules from user endpoints

Key Behavioral Indicators

• index.exe loading DismCore.dll
• Creation of 1.bin, 2.bin, 3.bin in staging directories
• msedge.exe executing from %APPDATA%\Local\Microsoft\WindowsApps\

False Positive Assessment

• Low for specific IOCs (hashes, C2 IPs). Medium for behavioral hunts like FTP usage or DISM execution, which require tuning to exclude legitimate administrative activity.

Recommendations

Immediate Mitigation

• Block known C2 IP addresses (1.34.253.131, 59.124.71.242) and OAST domains (digimg.store) at the perimeter.
• Search endpoints for the presence of DismCore.dll or index.exe in %APPDATA% or C:\ProgramData.

Infrastructure Hardening

• Restrict outbound FTP (port 21) traffic from user endpoints to the internet.
• Implement Application Control (e.g., AppLocker or WDAC) to prevent execution of unapproved binaries from user-writable directories.

User Protection

• Deploy EDR rules to detect DLL sideloading targeting the DISM framework.
• Enhance email filtering to block password-protected archives containing LNK or EXE files.

Security Awareness

• Train users to recognize spear-phishing attempts, especially those delivering password-protected archives and requesting the execution of embedded files.
• Educate employees on the risks of opening unexpected official-looking documents (e.g., government directives).

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
• T1497.001 - Virtualization/Sandbox Evasion: System Checks
• T1071.002 - Application Layer Protocol: File Transfer Protocols
• T1071.003 - Application Layer Protocol: Mail Protocols
• T1074.001 - Data Staged: Local Data Staging
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Additional IOCs

• Domains:
  • dnslog[.]ink - Public OAST service abused for execution confirmation
  • smtp[.]gmail[.]com - Abused for email exfiltration by LucidKnight
• File Hashes:
  • d49761cdbea170dd17255a958214db392dc7621198f95d5eb5749859c603100a (SHA256) - Malicious 7z archive
  • adf676107a6c2354d1a484c2a08c36c33d276e355a65f77770ae1ae7b7c36143 (SHA256) - Malicious archive
  • b480092d8e5f7ca6aebdeaae676ea09281d07fc8ccf2318da2fa1c01471b818d (SHA256) - Forged EXE dropper that drops LucidRook
  • c2d983d3812b5b6d592b149d627b118db2debd33069efe4de4e57306ba42b5dc (SHA256) - Forged EXE dropper that drops LucidRook
  • bdc5417ffba758b6d0a359b252ba047b59aacf1d217a8b664554256b5adb071d (SHA256) - LucidPawn dropper, DismCore.dll
  • f279e462253f130878ffac820f5a0f9ac92dd14ad2f1e4bd21062bab7b99b839 (SHA256) - Malicious LNK
  • 166791aac8b056af8029ab6bdeec5a2626ca3f3961fdf0337d24451cfccfc05d (SHA256) - Malicious LNK
  • edb25fed9df8e9a517188f609b9d1a030682c701c01c0d1b5ce79cba9f7ac809 (SHA256) - LucidRook stager, DismCore.dll
  • 0305e89110744077d8db8618827351a03bce5b11ef5815a72c64eea009304a34 (SHA256) - LucidRook stager, DismCore.dll
  • d8bc6047fb3fd4f47b15b4058fa482690b5b72a5e3b3d324c21d7da4435c9964 (SHA256) - LucidPawn dropper dropping LucidKnight
  • fd11f419e4ac992e89cca48369e7d774b7b2e0d28d0b6a34f7ee0bc1d943c056 (SHA256) - archive1.zip download from C2
• File Paths:
  • %APPDATA%\Local\Microsoft\WindowsApps\ - Directory where LucidPawn drops decrypted binaries
  • C:\ProgramData - Directory where EXE-based dropper drops files
  • C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat - Legitimate PowerShell script abused to launch embedded malware
• Command Lines:
  • Purpose: Launch embedded malware via legitimate PowerShell testing framework script | Tools: PowerShell, Build.bat, index.exe | Stage: Execution
• Other:
  • fexopuboriw972@gmail.com - Gmail account used by LucidKnight for exfiltration
  • crimsonanabel@powerscrews.com - Destination email address for LucidKnight exfiltration
  • DismCore.dll - Filename used for LucidRook stager and LucidPawn dropper
  • index.exe - Legitimate DISM executable abused for DLL sideloading
  • msedge.exe - Renamed DISM executable to impersonate Microsoft Edge
  • Cleanup.exe - Malicious dropper masquerading as Trend Micro security software