Hackers target IT industries as they hold valuable data, possess critical infrastructure, and often have access to sensitive information from various sectors.
Compromising IT companies can provide hackers with high-impact opportunities for espionage, financial gain, and disruption of essential services.
Recently, cybersecurity researchers at Cisco Talos detected that LilacSquid hackers have been actively attacking the IT industries to harvest confidential data.
LilacSquid Hackers Attacking IT Industries
Talos is confident that the “LilacSquid” APT group has been conducting a data theft campaign since at least 2021, successfully compromising targets in the pharmaceuticals, oil, gas, and technological industries across Asia, Europe, and the U.S.
Initial access leveraged vulnerabilities and stolen RDP credentials. Post-compromise, LilacSquid deployed the MeshAgent remote access tool, a customized “PurpleInk” variant of QuasarRAT, and open-source proxying tools like SSF, overlapping with TTPs from North Korean groups like Lazarus and Andariel.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
The campaign establishes longstanding access for data exfiltration, and prior supply chain compromises highlight risks from this type of persistent, advanced threat.
LilacSquid employs two main ways to initiate infections:-
- Hacking vulnerable web apps
- Stolen RDP credentials
After breaching, they use programs like MeshAgent for remote access, SSF for secure tunneling and customized malware InkLoader, PurpleInk RAT etc.
During application exploitation, MeshAgent acts as a first point of compromise to allow for the delivery of other implants.
They set up persistence before deploying PurpleInk by placing InkLoader first in reboots when using hacked RDP logins.
This stratified method creates multiple routes of duplicative approaches and techniques that APT uses for information stealing across victims.
PurpleInk is the flagship malware of LilacSquid, a dynamic QuasarRAT variant first seen in 2021.
This rat is heavily disguised and flexible enough to kill processes, execute code, steal files, collect system details, and pass connections through affected hosts acting as relays.
However, recent samples in the years of 2023 and 2024 are slighter having sacrificed functions like file management possibly for the sake of stealthiness or evading detection.
This malware’s mainstay features have been maintained through its core reverse shell and proxy ability, showing how threat actors adapt their malware’s functionality iteratively according to operational necessities.
LilacSquid uses a multi-stage infection chain that consists of several malware components. InkBox is a loader that decrypts and executes PurpleInk backdoor payloads.
A different method involves InkLoader, which has run PurpleInk in a separate process since 2023. MeshAgent is an open-source remote management tool commonly used as an initial foothold for deployment using configuration files containing victim identifiers and C2 addresses.
Once compromised, MeshAgent enables further distribution of malware such as SSF or PurpleInk to infected systems, allowing the APT group wide-ranging capabilities for remote access.
This modular approach allows LilacSquid to create redundant access points while hiding their activity.
IOCs
PurpleInk:
- 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8
Network IOCs:
- 67[.]213[.]221[.]6
- 192[.]145[.]127[.]190
- 45[.]9[.]251[.]14
- 199[.]229[.]250[.]142
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.