LilacSquid | |
Other Names | UAT-4820 |
Date of Initial Activity | 2021 |
Suspected Attribution | Cybercriminal |
Government Affiliation | No |
Associated Groups | Unknown |
Motivation | Financial Gain |
Associated Tools | MeshAgent |
Overview
Their operations span across various industries, including information technology, energy, and pharmaceuticals, with notable activity in the United States, Europe, and Asia.
Attack vectors
Exploitation of Public-Facing Applications
Compromised Remote Desktop Protocol (RDP) Credentials
Phishing Emails
Malicious Attachments or Links
Exploitation of Vulnerabilities in Internet-Exposed Servers
How they operate
Infection and Initial Access
LilacSquid employs several techniques to gain initial access to their targets. The first vector involves exploiting vulnerabilities in public-facing applications. These applications, often accessible via the internet, are susceptible to various exploits, which LilacSquid utilizes to deploy their malware. Another significant attack vector is the use of compromised Remote Desktop Protocol (RDP) credentials. By leveraging stolen RDP credentials, the threat actor gains direct access to the target systems, bypassing many conventional security defenses.
Upon successful infiltration, LilacSquid deploys a suite of tools designed to establish control and facilitate further attacks. The initial stage of their infection chain commonly involves the deployment of MeshAgent, an open-source remote management tool. MeshAgent is utilized to establish persistent access, allowing the threat actor to conduct reconnaissance and deploy additional malware. This tool’s integration is crucial, as it facilitates the management and manipulation of compromised systems remotely.
Deployment of Custom Malware
The primary tool in LilacSquid’s arsenal is PurpleInk, a highly customized variant of the QuasarRAT. PurpleInk is a versatile Remote Access Trojan (RAT) with extensive capabilities, including system enumeration, file manipulation, and process management. This malware enables LilacSquid to gather a wide range of information from the infected hosts, execute commands, and maintain a robust foothold within the compromised network. PurpleInk is often accompanied by configuration files that are base64-decoded and decrypted to provide the necessary parameters for communication with command-and-control (C2) servers.
Another critical component in LilacSquid’s toolkit is InkLoader, a .NET-based malware loader designed to run hardcoded executables or commands. InkLoader serves as a persistence mechanism, ensuring that the malware remains operational across system reboots. This loader typically works in tandem with PurpleInk, enhancing its deployment and execution capabilities.
Advanced Techniques and Tactics
LilacSquid’s operations are marked by their sophisticated use of additional tools such as Secure Socket Funneling (SSF). SSF is employed for proxying and tunneling multiple sockets through a single secure TLS tunnel, which helps obfuscate the network traffic and further evades detection. The deployment of SSF, alongside other tools, allows LilacSquid to create multiple channels for data exfiltration and secondary access.
In terms of persistence and further exploitation, LilacSquid utilizes InkBox, an older custom malware loader. InkBox reads and decrypts files from the disk, executing the secondary payload, which in this case is often PurpleInk. This modular approach to infection ensures that the malware is both versatile and resilient against detection.
MITRE Tactics and Techniques
Exploitation of Public-Facing Application – Exploiting vulnerabilities in web applications (T1190)
Compromised Remote Desktop Protocol (RDP) Credentials – Using stolen RDP credentials for initial access (T1076)
Execution – Running scripts and binaries for malware execution (T1059, T1203)
Remote Access Tools (RATs) – Deploying and utilizing RATs like PurpleInk for persistent access (T1219, T1021)
Data Staged – Collecting and staging data for exfiltration (T1074)
Command and Control – Using MeshAgent for command and control (T1071, T1105)
Credential Dumping – Gathering credentials from compromised systems (T1003)
Lateral Movement – Moving through network using legitimate credentials or remote tools (T1075, T1210)
Exfiltration Over Command and Control Channel – Sending stolen data through established C2 channels (T1041)
Impact / Significant Attacks
Pharmaceutical Industry Breach (Asia, 2021–2024): LilacSquid targeted organizations within the pharmaceutical sector in Asia. The group’s sophisticated malware and exploitation techniques aimed at stealing sensitive research and development data.
Energy Sector Attack (Europe, 2022–2024): In this campaign, LilacSquid breached organizations in the European energy sector. The attack involved exploiting vulnerabilities in public-facing applications and compromised RDP credentials to gain unauthorized access and siphon critical operational data.
IT Sector Breach (United States, 2021–2024): LilacSquid’s activities in the U.S. involved targeting IT organizations that build software for research and industrial applications. The group exploited these organizations to gain insights into software development and potentially affect software supply chains.
