Lucid PhAAS Platform Uses RCS and iMessage to Evade Detection

The cybersecurity landscape has been disrupted by the emergence of Lucid, a sophisticated Phishing-as-a-Service (PhAAS) platform developed by Chinese-speaking threat actors.

This advanced toolkit enables cybercriminals to conduct large-scale phishing campaigns, targeting 169 entities across 88 countries globally.

Lucid’s innovation lies in its exploitation of Rich Communication Services (RCS) and Apple’s iMessage protocol to circumvent traditional SMS-based detection mechanisms.

By leveraging these IP-based messaging services, threat actors can bypass network-level filtering typically employed by telecom providers to combat spam.

XinXin Group Spearheads PhAAS Ecosystem

The XinXin group, identified as the primary operator behind Lucid, has established a complex ecosystem of interconnected PhAAS platforms.

Alongside Lucid, the group utilizes Darcula and Lighthouse, demonstrating a high degree of coordination and shared infrastructure.

LARVA-242, a key figure within the XinXin group, serves as the developer and administrator of Lucid.

The platform’s operations are supported by a structured hierarchy, including administrators, customer service representatives, and affiliates who purchase access to the service.

Technical Sophistication and Global Reach

Lucid’s technical capabilities are formidable. The platform offers customizable phishing templates, real-time monitoring of victim interactions, and automated attack delivery mechanisms.

According to the Report, its infrastructure includes 129 active instances and over 1,000 registered domains, positioning it among the most prominent PhAAS platforms globally.

The platform’s targeting is diverse, encompassing postal services, courier companies, toll payment systems, and financial institutions.

Campaigns impersonate legitimate organizations to deceive victims into providing sensitive information, including credit card details and personally identifiable information (PII).

Lucid’s evasion techniques are particularly noteworthy.

The platform employs IP blocking, user-agent filtering, and sophisticated obfuscation methods to prolong the lifespan of its phishing sites.

Additionally, it features a built-in card generator for efficient validation and exploitation of stolen payment data.

The emergence of Lucid and its associated platforms marks a significant shift in the underground economy.

Chinese-speaking threat actors are demonstrating increased innovation and scalability in their operations, challenging existing cybersecurity paradigms.

As these PhAAS platforms continue to evolve, understanding their dynamics and enhancing detection mechanisms will be crucial for mitigating their impact on global cybersecurity.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.