Cisco Talos researchers have identified LilacSquid, an undocumented APT active since at least 2021, conducting data theft across multiple regions and industries. The group uses open-source tools like MeshAgent and customized malware (PurpleInk, InkBox, InkLoader) and gains access via internet-facing server exploits and stolen RDP credentials. #LilacSquid #PurpleInk #InkBox #InkLoader #MeshAgent #QuasarRAT #Andariel #Lazarus
Keypoints
- LilacSquid is a previously undocumented APT active since 2021, conducting data theft across diverse industries.
- Targets include IT and industrial sectors in the U.S., energy in Europe, and pharma in Asia.
- The group leverages open-source tools (MeshAgent) and customized malware (PurpleInk, InkBox, InkLoader) for post-compromise activity.
- Access is gained by exploiting internet-facing application servers and compromising RDP credentials.
- SSf (Secure Socket Funneling) is used to proxy and tunnel traffic through TLS for covert communications.
- InkLoader registers as a Windows service to maintain persistence and facilitate deployment of PurpleInk.
MITRE Techniques
- [T1021.001] Remote Services – LilacSquid uses remote access tooling to reach and operate on compromised hosts; “The attackers exploited vulnerabilities in Internet-facing application servers and compromised remote desktop protocol (RDP) credentials to deploy a variety of open-source tools, including MeshAgent and Secure Socket Funneling (SSF), alongside customized malware, such as “PurpleInk,” and “InkBox” and “InkLoader loaders.””
- [T1078] Valid Accounts – Access gained by compromising RDP credentials; “compromised remote desktop protocol (RDP) credentials”
- [T1572] Protocol Tunneling – Tunneling traffic through TLS via Secure Socket Funneling; “Secure Socket Funneling (SSF) tool allows attackers to proxy and tunnel multiple sockets through a secure TLS tunnel.””
- [T1105] Ingress Tool Transfer – Downloaded InkLoader and PurpleInk after access; “after a successful RDP login, attackers downloaded InkLoader and PurpleInk, copied to specific directories”
- [T1543.003] Windows Service – InkLoader registered as a service to maintain execution; “InkLoader is registered as a service.”
- [T1140] Deobfuscate/Decode Files or Information – InkBox decrypts its contents before execution; “InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents.”
- [T1057] Process Discovery – Enumerating processes during operation; “Enumerating processes and sending details to the C2.”
Indicators of Compromise
- [Tool] InkBox – malware loader used to deploy other components
- [Loader] InkLoader – .NET-based loader that registers as a service to deploy PurpleInk
- [Malware] PurpleInk – primary post-exploitation implant
- [Tool/Agent] MeshAgent – open-source remote management tool used for access
- [Malware] QuasarRAT – referenced as the base for PurpleInk
- [Credential] RDP credentials – used to access target networks
- [Tool] Secure Socket Funneling (SSF) – TLS-based tunneling/proxy tool
Read more: https://securityaffairs.com/163927/apt/lilacsquid-targeted-orgs-in-us-europe-asia.html