Cisco Talos has revealed a new suspected data theft campaign, active since at least 2021, attributed to an APT actor named LilacSquid. It targets a diverse range of victims, including IT organizations developing software for research and industrial sectors in the U.S., energy sector organizations in Europe, and the pharmaceutical sector in Asia, indicating the threat actor's industry-agnostic approach to data theft.
Diving into details
This campaign employs MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT, dubbed PurpleInk, as primary implants after compromising vulnerable application servers exposed to the internet.
The data theft campaign exploits vulnerabilities in public-facing application servers and compromised RDP credentials to deploy various open-source tools, such as MeshAgent and SSF. Apart from PurpleInk, the threat actor uses two malware loaders named InkBox and InkLoader.
Notably, multiple TTPs in this campaign overlap with North Korean APT groups, such as Andariel and its parent group, Lazarus.
Why this matters
The campaign aims to establish long-term access to compromised organizations, enabling LilacSquid to siphon data to attacker-controlled servers.
Successful exploitation of the vulnerable application results in the deployment of a script that sets up working directories for the malware and then downloads and executes MeshAgent from a remote server.
On execution, MeshAgent connects to its C2, carries out preliminary reconnaissance, and begins downloading and activating other implants on the system, such as SSF and PurpleInk.
Talos observed LilacSquid deploying InkLoader in conjunction with PurpleInk only when it could successfully create and maintain remote sessions via RDP by exploiting stolen credentials for the target host.
A successful RDP login leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk, and subsequently registering InkLoader as a service that starts to deploy InkLoader and, in turn, PurpleInk.
The bottom line
The LilacSquid campaign highlights the persistent and evolving nature of APT actors. As LilacSquid continues to evolve its arsenal and refine its operations, it is crucial for organizations to remain vigilant and implement regular vulnerability assessments, access control mechanisms, and comprehensive incident response plans. Collaboration and information sharing among the cybersecurity community are vital in combating the persistent threats posed by such groups and protecting against data theft and potential supply chain compromises.