Researchers have identified a new advanced persistent threat actor known as LilacSquid, which has been conducting data exfiltration attacks across various sectors in the United States and Europe. The tactics employed by LilacSquid have similarities to those used by Andariel, a North Korean threat actor affiliated with the Lazarus Group.
According to findings from Cisco Talos, LilacSquid gains initial access to systems by exploiting known vulnerabilities in Internet-facing applications and utilizing stolen remote desktop protocol credentials. Once inside the compromised system, the group deploys open source tools like MeshAgent and InkLoader to establish connections with command-and-control servers and perform reconnaissance activities. InkLoader, a .NET-based loader, is used to decrypt and read from specific files on disk.
MeshAgent and InkLoader are also leveraged to deploy custom malware such as PurpleInk, a variant of the QuasarRAT Trojan. PurpleInk is highly obfuscated and versatile, capable of executing new applications, conducting file operations, gathering system information, enumerating directories and running processes, launching remote shells, and communicating with a designated remote address specified by a command-and-control server.
In addition to these tactics, LilacSquid has been observed using Secure Socket Funneling (SSF) to create tunnels to remote servers for data exfiltration purposes. The group’s methods closely mirror those of North Korean APT groups, with Andariel known for utilizing MeshAgent for maintaining access after compromise, and Lazarus employing SOCKs proxy and tunnel tools alongside custom malware for secondary access and data exfiltration.
Operating since at least 2021, LilacSquid’s primary objective is to establish persistent access to compromised organizations and exfiltrate valuable data to servers controlled by the threat actors. The targets of these attacks have included information technology firms developing software for research and industrial sectors in the US, energy companies in Europe, and pharmaceutical companies in Asia, according to researchers from Cisco Talos.
The emergence of LilacSquid underscores the evolving landscape of cyber threats, as threat actors continue to exploit vulnerabilities and employ sophisticated techniques to achieve their malicious objectives. Organizations across sectors must remain vigilant and implement robust cybersecurity measures to detect and mitigate potential threats from advanced persistent threat actors like LilacSquid.