Summary:
A previously undocumented cyber espionage group named LilacSquid has been linked to targeted attacks across various sectors in the U.S., Europe, and Asia as part of a data theft campaign ongoing since at least 2021. This campaign is aimed at establishing long-term access to compromised organizations to siphon data of interest to attacker-controlled servers, according to a new technical report by Cisco Talos researcher Asheer Malhotra. LilacSquid's targets are diverse and include U.S. information technology organizations building software for the research and industrial sectors, energy companies in Europe, and the pharmaceutical sector in Asia. This broad victimology footprint indicates a strategic focus on sectors rich in valuable intellectual property and operational data. The group's attack methods involve exploiting publicly known vulnerabilities to breach internet-facing application servers or using compromised Remote Desktop Protocol RDP credentials. This allows them to deliver a mix of open-source tools and custom malware. A standout feature of their campaign is the use of the open-source remote management tool MeshAgent. MeshAgent serves as a conduit to deliver a bespoke version of Quasar RAT codenamed PurpleInk, which is specifically tailored by LilacSquid.

When leveraging compromised RDP credentials, the attackers may deploy MeshAgent or use a .NET-based loader dubbed InkLoader to install PurpleInk. Successful RDP logins lead to the download of InkLoader and PurpleInk, copying these artifacts into specific directories on the disk, and the registration of InkLoader as a service. This service deployment facilitates the execution of InkLoader, which in turn deploys PurpleInk. PurpleInk, which has been actively maintained by LilacSquid since 2021, is heavily obfuscated and highly versatile. It can run new applications, perform file operations, gather system information, enumerate directories and processes, launch a remote shell, and connect to a specific remote address provided by a command-and-control (C2) server.


Analyst Comments:
Additionally, Talos identified another custom tool called InkBox, which has been used by the adversary to deploy PurpleInk prior to the use of InkLoader. This indicates a layered and sophisticated approach to malware deployment and persistence. The incorporation of MeshAgent as part of their post-compromise playbook is noteworthy, as this tactic has been previously adopted by the North Korean threat actor Andariel, a sub-cluster within the infamous Lazarus Group, in attacks targeting South Korean companies. This suggests a possible exchange of tactics or common training among different threat actors.

LilacSquid also uses tunneling tools to maintain secondary access, with Secure Socket Funneling (SSF) being deployed to create a communication channel to its infrastructure. This ensures ongoing access and control even if primary access methods are detected and mitigated.


Suggested Corrections:

IOCs:
https://blog.talosintelligence.com/lilacsquid/

LilacSquid's multi-faceted approach and use of customized malware highlight the evolving nature of APT threats. Organizations must enhance their security postures, employing comprehensive defense mechanisms and staying vigilant against such sophisticated campaigns.

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations

Link(s):