Hackers are increasingly targeting IT industries due to their valuable data and critical infrastructure. Recently, cybersecurity researchers at Cisco Talos identified the LilacSquid APT group actively attacking these industries to harvest confidential information. This group has been conducting a data theft campaign since at least 2021, successfully compromising sectors such as pharmaceuticals, oil, gas, and technology across Asia, Europe, and the U.S.
LilacSquid employs vulnerabilities and stolen RDP credentials for initial access, subsequently deploying tools like the MeshAgent remote access tool, a customized “PurpleInk” variant of QuasarRAT, and open-source proxying tools like SSF. Their tactics and techniques overlap with those used by North Korean groups such as Lazarus and Andariel. The campaign aims to establish longstanding access for data exfiltration, highlighting the risks posed by persistent, advanced threats.
The hackers initiate infections through hacking vulnerable web applications and using stolen RDP credentials. Post-compromise, they use tools like MeshAgent for remote access and SSF for secure tunneling, deploying customized malware such as InkLoader and PurpleInk RAT. PurpleInk, their flagship malware, is a dynamic QuasarRAT variant capable of killing processes, executing code, stealing files, and collecting system details. Recent versions have sacrificed some functions to enhance stealth and evade detection.
LilacSquid’s infection chain involves several malware components, including InkBox, which decrypts and executes PurpleInk payloads, and InkLoader, which has been used since 2023 to run PurpleInk in a separate process. MeshAgent serves as an initial foothold, enabling further distribution of malware like SSF or PurpleInk to infected systems. This modular approach allows LilacSquid to create redundant access points while concealing their activities.
Reference:
