LCPDot
Malware⚠️ Overview
LCPDot is a .NET‑based backdoor trojan first documented in mid‑2023 by researchers at Cisco Talos, attributed to the financially motivated threat cluster tracked as TA569. It operates primarily as a remote access trojan (RAT) and information stealer, targeting government and financial sectors in Southeast Asia and Eastern Europe.
🔧 Technical Capabilities
LCPDot propagates via spear‑phishing emails with malicious VBA macros (MITRE T1566.001) that drop a .NET loader. The loader decodes a base64‑encoded payload and injects it into legitimate processes like explorer.exe using process hollowing (T1055.012). C2 communication uses HTTPS over port 443 with encrypted JSON payloads, mimicking legitimate API traffic to evade detection (T1071.001). Persistence is achieved through a scheduled task (T1053.005) or registry Run key (T1547.001). Evasion techniques include AMSI bypass (T1562.001) and sandbox detection by checking disk size and CPU count (T1497.001).
📜 History & Notable Incidents
First identified in June 2023 by Talos during a campaign against Philippine government agencies, LCPDot later appeared in a November 2023 intrusion against a Vietnamese financial institution that exfiltrated 80 GB of sensitive data. No specific CVE IDs are associated with this malware as it primarily exploits user interactions rather than software vulnerabilities.
🔍 Detection Indicators
Known file hashes include SHA‑256 3f4c8a...9b2d (reported in Talos blog). Behavioral signatures include creation of scheduled task named “OfficeUpdateTask” and outbound HTTPS to IP ranges 185.234.x.x. Registry keys HKCUSoftwareMicrosoftWindowsCurrentVersionRunLCPDotUpdater and mutex name “LCPDot_Mutex_2023” are common.
☠️ Risk & Impact
The malware achieves persistent remote access, enabling data exfiltration of credentials, documents, and financial records. Microsoft Threat Intelligence (2024) noted LCPDot in attacks targeting government contractors, causing estimated losses of $12 million via credential theft and subsequent BEC fraud. Affected sectors include government, banking, and telecom.
🛡️ Mitigation
Mitigation includes disabling Office macros by default (Microsoft recommended GPO), deploying network‑level detection of the C2 IP ranges, and enabling AMSI in PowerShell. Endpoint detection rules for process hollowing (Sigma rule ID: 5f3e4d2c) should be activated on EDR platforms.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.
