The group's tactics open up a new perspective on its origins.
The undocumented LilacSquid attacker has been conducting targeted attacks on various sectors in the US, Europe and Asia since 2021. Attacks are aimed at stealing data and establishing long-term access to compromised organizations.
Cisco Talos explained that creating long-term access to victims ' systems is necessary so that LilacSquid can transfer data to its servers. The attack targets include IT organizations that create software for the research and industrial sectors in the United States, energy companies in Europe, and pharmaceutical companies in Asia.
LilacSquid Infection Chain
LilacSquid attacks use either known vulnerabilities to hack web servers, or compromised RDP credentials to deliver malware and open source tools.
The most notable feature of the campaign is the use of MeshAgent, an open-source remote management tool that serves as a channel for delivering a special version of Quasar RAT codenamed PurpleInk.
Alternative infection methods using compromised RDP credentials include two options: either MeshAgent deployment or installation .The InkLoader NET loader for PurpleInk delivery. Talos also discovered an InkBox tool that was used to deploy PurpleInk before InkLoader.
PurpleInk, which has been supported by LilacSquid since 2021, is sophisticated and versatile, allowing you to perform file operations, get system information, launch a remote shell, and connect to a C2 server.
The use of MeshAgent is notable because it was previously used by the North Korean attacker Andariel, a division of the Lazarus group, in attacks on South Korean companies. Another overlap with Andariel is the use of tunneling tools to maintain access: LilacSquid uses Secure Socket Funneling (SSF) to create a communication channel with its infrastructure.
The undocumented LilacSquid attacker has been conducting targeted attacks on various sectors in the US, Europe and Asia since 2021. Attacks are aimed at stealing data and establishing long-term access to compromised organizations.
Cisco Talos explained that creating long-term access to victims ' systems is necessary so that LilacSquid can transfer data to its servers. The attack targets include IT organizations that create software for the research and industrial sectors in the United States, energy companies in Europe, and pharmaceutical companies in Asia.
LilacSquid Infection Chain
LilacSquid attacks use either known vulnerabilities to hack web servers, or compromised RDP credentials to deliver malware and open source tools.
The most notable feature of the campaign is the use of MeshAgent, an open-source remote management tool that serves as a channel for delivering a special version of Quasar RAT codenamed PurpleInk.
Alternative infection methods using compromised RDP credentials include two options: either MeshAgent deployment or installation .The InkLoader NET loader for PurpleInk delivery. Talos also discovered an InkBox tool that was used to deploy PurpleInk before InkLoader.
PurpleInk, which has been supported by LilacSquid since 2021, is sophisticated and versatile, allowing you to perform file operations, get system information, launch a remote shell, and connect to a C2 server.
The use of MeshAgent is notable because it was previously used by the North Korean attacker Andariel, a division of the Lazarus group, in attacks on South Korean companies. Another overlap with Andariel is the use of tunneling tools to maintain access: LilacSquid uses Secure Socket Funneling (SSF) to create a communication channel with its infrastructure.
