A beforehand undocumented cyber espionage-focused risk actor named LilacSquid has been linked to focused assaults spanning numerous sectors in the USA (U.S.), Europe, and Asia as a part of a knowledge theft marketing campaign since at the very least 2021.
“The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers,” Cisco Talos researcher Asheer Malhotra mentioned in a brand new technical report revealed right now.
Targets embody data expertise organizations constructing software program for the analysis and industrial sectors within the U.S, power corporations in Europe, and the pharmaceutical sector in Asia, indicating a broad victimology footprint.
Assault chains are identified to use both publicly identified vulnerabilities to breach internet-facing software servers or make use of compromised distant desktop protocol (RDP) credentials to ship a mixture of open-source instruments and customized malware.
The marketing campaign’s most distinctive function is using an open-source distant administration software referred to as MeshAgent, which serves as a conduit to ship a bespoke model of Quasar RAT codenamed PurpleInk.
Alternate an infection procedures leveraging compromised RDP credentials exhibit a barely totally different modus operandi, whereby the risk actors select to both deploy MeshAgent or drop a .NET-based loader dubbed InkLoader to drop PurpleInk.
“A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk,” Malhotra mentioned.
PurpleInk, actively maintained by LilacSquid since 2021, is each closely obfuscated and versatile, permitting it to run new purposes, carry out file operations, get system data, enumerate directories and processes, launch a distant shell, and hook up with a selected distant deal with offered by a command-and-control (C2) server.
Talos mentioned it recognized one other customized software referred to as InkBox that is mentioned to have been utilized by the adversary to deploy PurpleInk previous to InkLoader.
The incorporation of MeshAgent as a part of their post-compromise playbooks is noteworthy partially as a result of the truth that it is a tactic beforehand adopted by a North Korean risk actor named Andariel, a sub-cluster throughout the notorious Lazarus Group, in assaults concentrating on South Korean corporations.
One other overlap considerations using tunneling instruments to keep up secondary entry, with LilacSquid deploying Safe Socket Funneling (SSF) to create a communication channel to its infrastructure.
“Multiple tactics, techniques, tools, and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus,” Malhotra mentioned.
