Summary:
A previously undocumented cyber espionage group named LilacSquid has been linked to targeted attacks across various sectors in the U.S., Europe, and Asia as part of a data theft campaign ongoing since at least 2021. This campaign is aimed at establishing long-term access to compromised organizations to siphon data of interest to attacker-controlled servers, according to a new technical report by Cisco Talos researcher Asheer Malhotra. LilacSquid's targets are diverse and include U.S. information technology organizations building software for the research and industrial sectors, energy companies in Europe, and the pharmaceutical sector in Asia. This broad victimology footprint indicates a strategic focus on sectors rich in valuable intellectual property and operational data. The group's attack methods involve exploiting publicly known vulnerabilities to breach internet-facing application servers or using compromised Remote Desktop Protocol RDP credentials. This allows them to deliver a mix of open-source tools and custom malware. A standout feature of their campaign is the use of the open-source remote management tool MeshAgent. MeshAgent serves as a conduit to deliver a bespoke version of Quasar RAT codenamed PurpleInk, which is specifically tailored by LilacSquid.

When leveraging compromised RDP credentials, the attackers may deploy MeshAgent or use a .NET-based loader dubbed InkLoader to install PurpleInk. Successful RDP logins lead to the download of InkLoader and PurpleInk, copying these artifacts into specific directories on the disk, and the registration of InkLoader as a service. This service deployment facilitates the execution of InkLoader, which in turn deploys PurpleInk. PurpleInk, which has been actively maintained by LilacSquid since 2021, is heavily obfuscated and highly versatile. It can run new applications, perform file operations, gather system information, enumerate directories and processes, launch a remote shell, and connect to a specific remote address provided by a command-and-control (C2) server.


Analyst Comments:
Additionally, Talos identified another custom tool called InkBox, which has been used by the adversary to deploy PurpleInk prior to the use of InkLoader. This indicates a layered and sophisticated approach to malware deployment and persistence. The incorporation of MeshAgent as part of their post-compromise playbook is noteworthy, as this tactic has been previously adopted by the North Korean threat actor Andariel, a sub-cluster within the infamous Lazarus Group, in attacks targeting South Korean companies. This suggests a possible exchange of tactics or common training among different threat actors.

LilacSquid also uses tunneling tools to maintain secondary access, with Secure Socket Funneling (SSF) being deployed to create a communication channel to its infrastructure. This ensures ongoing access and control even if primary access methods are detected and mitigated.


Suggested Corrections:

IOCs:
https://blog.talosintelligence.com/lilacsquid/

LilacSquid's multi-faceted approach and use of customized malware highlight the evolving nature of APT threats. Organizations must enhance their security postures, employing comprehensive defense mechanisms and staying vigilant against such sophisticated campaigns.