LilacSquid targets the IT, energy and pharmaceutical sectors

May 30, 2024NewsroomCyber ​​espionage/threat intelligence

Name: Previously undocumented cyber espionage group LilacSquid is linked to targeted attacks across sectors in the United States (US), Europe and Asia as part of a data theft campaign that has been ongoing since at least 2021.

“The campaign aims to establish long-term access to compromised victim organizations to allow LilacSquid to transmit data of interest to servers controlled by the attackers,” Cisco Talos researcher Asheer Malhotra said in a new technical report released today.

Targets include IT organizations that create software for the research and industrial sectors in the US, energy companies in Europe, and the pharmaceutical sector in Asia, indicating a broad footprint of victimology.

Attack chains have been known to exploit publicly known vulnerabilities to compromise internet-facing application servers or exploit compromised Remote Desktop Protocol (RDP) credentials to deliver a combination of open source tools and custom malware.

The campaign’s most distinctive feature is the use of an open-source remote management tool called MeshAgent, which serves as a delivery channel for a customized version of Quasar RAT, codenamed PurpleInk.

Alternative infection procedures using compromised RDP credentials exhibit a slightly different modus operandi, with threat actors choosing to either deploy MeshAgent or drop a .NET-based loader called InkLoader to drop PurpleInk.

“A successful RDP login downloads InkLoader and PurpleInk, copies these artifacts to selected directories on disk, and then registers InkLoader as a service, which then starts deploying InkLoader and, in turn, PurpleInk,” Malhotra said.

Actively maintained by LilacSquid since 2021, PurpleInk is both heavily obfuscated and versatile, allowing you to launch new applications, perform file operations, obtain system information, enumerate directories and processes, launch a remote shell, and connect to a specific remote address provided by the command and control server (C2).

Talos said it had identified another custom tool called InkBox that was allegedly used by the adversary to deploy PurpleInk before InkLoader.

The inclusion of MeshAgent in their post-compromise strategy is notable in part due to the fact that it is a tactic previously adopted by a North Korean cybercriminal group called Andariel, a subgroup within the infamous Lazarus Group, in attacks targeting the company’s South Korea.

Another overlap concerns the use of tunneling tools to maintain secondary access, with LilacSquid implementing Secure Socket Funneling (SSF) technology to create a communication channel for its infrastructure.

“Many of the tactics, techniques, tools and procedures (TTPs) used in this campaign have some overlap with North Korean APT groups such as Andariel and its parent umbrella group Lazarus,” Malhotra said.