Researchers have linked a previously unknown Advanced Persistent Threat (APT) actor, LilacSquid, to a series of data exfiltration attacks targeting various sectors across the United States and Europe. The tactics of LilacSquid bear striking similarities to those used by Andariel, a North Korean sub-cluster within the infamous Lazarus Group.
According to Cisco Talos, LilacSquid’s methods for initial compromise include exploiting known vulnerabilities in Internet-facing application servers and using stolen Remote Desktop Protocol (RDP) credentials. Once inside, LilacSquid deploys open source tools like MeshAgent to establish a connection with an attacker-controlled Command-and-Control (C2) server. This tool enables reconnaissance activities and facilitates further exploitation.
A key component of their toolkit is InkLoader, a .NET-based loader designed to read from a hardcoded file path and decrypt its contents. This sophisticated loader is used to drop custom malware such as PurpleInk, a heavily obfuscated version of the QuasarRAT Trojan. PurpleInk’s capabilities include running new applications, performing file operations, collecting system information, and establishing a remote shell.
For example, consider an energy company in Europe: LilacSquid breaches their server by exploiting a vulnerability in a web application. Using MeshAgent, they establish a foothold and deploy InkLoader to install PurpleInk. This malware then communicates with the C2 server, allowing attackers to siphon sensitive data back to their own servers.
LilacSquid has also been noted for using Secure Socket Funneling (SSF) to create encrypted tunnels to remote servers, enhancing their ability to maintain stealthy, long-term access to compromised networks.
This APT group’s advanced techniques and persistent attacks underline the growing sophistication of cyber threats, highlighting the critical need for robust cybersecurity measures across all sectors.
