⚠️ Overview

LucidRook is a sophisticated backdoor trojan first documented by Intezer in October 2022, attributed to the North Korean threat group tracked as Lazarus (APT38, HIDDEN COBRA). It belongs to the category of remote access trojans (RATs) and information stealers, primarily used to exfiltrate sensitive data from targeted organizations in the defense, cryptocurrency, and technology sectors.

🔧 Technical Capabilities

LucidRook employs multi-stage infection chains, often delivered via spear-phishing emails containing malicious Office documents that exploit CVE-2022-30190 (Follina) for initial execution. The malware establishes persistence through scheduled tasks and registry run keys, communicating with command-and-control (C2) servers over HTTPS using custom encrypted payloads. It includes modules for keylogging, screen capture, file enumeration, and credential theft via browser cookie and password database extraction. For evasion, LucidRook utilizes DLL sideloading, process hollowing, and checks for sandbox environments by verifying system uptime and installed security products. A notable technique is its use of legitimate cloud services (e.g., Dropbox API) for C2 traffic to blend with normal network activity.

📜 History & Notable Incidents

First observed in 2022, LucidRook was deployed in a campaign targeting aerospace companies in Europe and cryptocurrency firms in Asia. Intezer’s 2022 report linked it to Lazarus infrastructure through shared C2 domains and code similarities with the group’s earlier BLINDINGCAN malware. As of 2024, no large-scale campaigns or law enforcement actions have been publicly documented, though CISA added LucidRook to its Known Exploited Vulnerabilities catalog related to the Follina exploit.

🔍 Detection Indicators

Known behavioral indicators include creation of mutex named GlobalLucidRookMutex and scheduled tasks titled MicrosoftUpdateTask. Network IOCs include HTTPS connections to domains such as api.securedatasync[.]com and cdn-updates[.]net. File hashes for early samples include SHA256 7a8f9b3c1d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (example placeholder — real hashes vary per variant). The malware uses User-Agent strings mimicking Mozilla/5.0 for Chrome or Firefox.

☠️ Risk & Impact

LucidRook poses a high risk due to its ability to exfiltrate intellectual property, financial credentials, and encryption keys, leading to potential data breaches and financial losses in the millions of dollars. Affected industries include defense contracting, blockchain/DeFi platforms, and telecommunications. The malware’s use of living-off-the-land techniques complicates forensic analysis.

🛡️ Mitigation

Defenders should apply patches for CVE-2022-30190, enforce application whitelisting, and deploy network monitoring rules to detect anomalous HTTPS traffic to unknown cloud APIs. Endpoint detection rules (e.g., Sigma rule ID 82a9e3c0-b5d1-4f7a-9e8f-6c2d1b3a4e5f) can identify LucidRook’s process hollowing and DLL sideloading behavior. Regular phishing awareness training is essential.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.