Researchers discovered a new data theft campaign, active since at least 2021, attributed to an advanced persistent threat (APT) actor dubbed “LilacSquid.”
This campaign, observed by researchers at Cisco Talos, targets a diverse set of industries, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. This broad victimology suggests that LilacSquid is agnostic to industry verticals, aiming to steal data from various sectors.
Use of Open-Source Tools and Customized Malware
The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as “PurpleInk,” as primary implants after compromising vulnerable application servers exposed to the internet.
LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.
LilacSquid’s Long-Term Access for Data Theft through Persistence
Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers.
The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology.
LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials.
Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk.
MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants.
On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.
PurpleInk Implant of LilacSquid
PurpleInk, derived from QuasarRAT, has been customized extensively since 2021.
“Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family.”
It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection.
InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader.
Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.
Parallels with North Korean APT Groups
The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers.
The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide.
IoCs to detect LilacSquid’s PurpleInk infection:
PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8
Network IOCs
67[.]213[.]221[.]6
192[.]145[.]127[.]190
45[.]9[.]251[.]14
199[.]229[.]250[.]142