LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The campaign leverages vulnerabilities in public-facing application servers to compromise targets. “[This campaign leverages vulnerabilities in public-facing application servers…](translated quote in English)”
• [T1021.001] Remote Services: RDP – Initial access via compromised remote desktop protocol credentials. “[compromised remote desktop protocol (RDP) credentials](translated quote in English)”
• [T1197] BITS Jobs – MeshAgent is typically downloaded by the attackers using the bitsadmin utility. “[MeshAgent is typically downloaded by the attackers using the bitsadmin utility](translated quote in English)”
• [T1105] Ingress Tool Transfer – MeshAgent is downloaded and executed to establish contact with the C2. “[MeshAgent is typically downloaded… and then executed to establish contact with the C2.](translated quote in English)”
• [T1047] Windows Management Instrumentation – Gathers system information about the infected host using WMI queries. “[Gathers system information about the infected host using WMI queries.](translated quote in English)”
• [T1082] System Information Discovery – Information gathered includes processor name, memory, drives, and more. “[Information includes: Processor name, RAM, etc.](translated quote in English)”
• [T1057] Process Discovery – Enumerate the process and send the process ID, name and associated Window Title to the C2. “[Enumerate the process and send the process ID, name and associated Window Title to the C2.](translated quote in English)”
• [T1083] File and Directory Discovery – Enumerate directories to obtain file names and sizes. “[Enumerate a given directory to obtain underlying directory names, file names and file sizes.](translated quote in English)”
• [T1005] Data from Local System – Read a file and exfiltrate its contents. “[Read a file specified by the C2 and exfiltrate its contents.](translated quote in English)”
• [T1543.003] Create or Modify System Process: Windows Service – InkLoader/service creation to persist. “[sc create TransactExDetect displayname=Extended Transaction Detection… start= auto]”
• [T1140] Deobfuscate/Decode Data – PurpleInk configuration is base64-decoded and decrypted. “[base64-decoded and decrypted to obtain the configuration strings…](translated quote in English)”
• [T1572]Protocol Tunneling – SSF tunnels via TLS to remote servers for proxying and exfiltration. “[Secure Socket Funneling (SSF)… proxying and tunneling multiple sockets through a single secure TLS tunnel to a remote computer.](translated quote in English)”
• [T1090] Proxy – Lazarus-like use of SOCKS proxy and tunneling tools for secondary access and exfiltration. “[SOCKs proxy and tunneling tools, along with custom-made malware…](translated quote in English)”
• [T1041] Exfiltration Over C2 Channel – Data exfiltration to attacker-controlled servers via C2. “[exfiltration to attacker-controlled servers.](translated quote in English)”