HQ/EMEAFind out how we can help your business
The LilacSquid APT is the alleged operator of the newly discovered data theft campaign that has been operating for nearly three years now. Reports revealed that it targets various industries globally. Some confirmed victims came from IT companies, industrial sectors in the United States, European energy companies, and Asian pharmaceutical companies.
Researchers stated that this campaign uses the open-source remote management tool MeshAgent and a customised version of QuasarRAT dubbed PurpleInk. This group also uses these malicious payloads as primary implants after compromising vulnerable application servers exposed to the Internet.
The data theft effort uses vulnerabilities in public-facing application servers and compromised RDP credentials to launch open-source tools like MeshAgent and SSF. In addition to PurpleInk, the threat actor employs malware loaders called InkBox and InkLoader.
Some researchers also noticed that this campaign’s TTPs are similar to those of North Korean APT groups like Lazarus.
The success of this LilacSquid campaign depends on how it can establish persistence on a target.
According to investigations, the data theft campaign tries to gain long-term access to affected organisations, allowing the LilacSquid APT group to exfiltrate data to one of its controlled servers.
Next, once the attackers successfully exploit the susceptible application, they can execute a script that creates working directories for the virus before downloading and running MeshAgent from a remote server.
Subsequently, MeshAgent connects to its C2, performs preliminary reconnaissance, and starts downloading and activating other system implants, including SSF and PurpleInk.
However, separate research claimed that LilacSquid deploys InkLoader in conjunction with PurpleInk only when it could effectively initiate and sustain remote sessions via RDP by using stolen credentials for the target host.
A successful RDP login downloads InkLoader, and PurpleInk duplicates these artefacts to the required disk folders and then registers InkLoader as a service, which begins to deploy InkLoader and, eventually, PurpleInk.
This recent LilacSquid attack shows the constant and dynamic nature of advanced persistent threat groups. As they expand their arsenal and improve their operations, organisations must remain cautious and conduct regular vulnerability assessments, access control mechanisms, and detailed incident response plans to prevent or mitigate their impact.
