LilacSquid APT Employs Open Source Tools, QuasarRAT
The previously unknown threat actor uses tools similar to those used by North Korean APT groups, according to Cisco Talos.
Researchers have linked a previously unknown advanced persistent threat actor to data exfiltration attacks spanning various sectors in the United States, Europe. Some tactics associated with LilacSquid overlap with those used by Andariel, a North Korean threat actor that acts as a sub-cluster within the Lazarus Group.
According to Cisco Talos, the group's methods for initial compromise include exploiting publicly known vulnerabilities to breach Internet-facing application servers as well as using stolen remote desktop protocol credentials. Once the system is compromised, LilacSquid launches multiple open source tools such as open source remote management tool MeshAgent to connect to an attacker-controlled command-and-control server and conduct reconnaissance activities. LilacSquid also uses InkLoader, a .NET-based loader, to read from a hardcoded file path on disk and decrypt contents.
MeshAgent and InkLoader are used drop custom malware such as PurpleInk, a custom version of the QuasarRAT Trojan. PurpleInk is both heavily obfuscated and versatile, and can run new applications, perform file operations, collect system information, enumerate directories and running processes, launch a remote shell, and connect to a specific remote address specified by a command-and-control server.
LilacSquid has also employed Secure Socket Funneling (SSF) to establish tunnels to remote servers.
The tactics, techniques, and procedures used by LilacSquid are similar to those of North Korean APT groups. Andariel is known for using MeshAgent to maintain post-compromise access. Lazarus extensively employs SOCKs proxy and tunnel tools and custom malware for secondary access and data exfiltration.
LilacSquid, which has been operating since at least 20201, focuses on establishing long-term access to compromised organizations to steal valuable data to attacker-controlled servers, Cisco Talos researchers said. Targeted organizations include information technology organizations building software for the research and industrial sectors in the US, energy companies in Europe, and the pharmaceutical sector in Asia.
About the Author
You May Also Like
How to Evaluate Hybrid-Cloud Network Policies and Enhance Security
September 18, 2024DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations
September 26, 2024Harnessing the Power of Automation to Boost Enterprise Cybersecurity
October 3, 202410 Emerging Vulnerabilities Every Enterprise Should Know
October 30, 2024
State of AI in Cybersecurity: Beyond the Hype
October 30, 2024[Virtual Event] The Essential Guide to Cloud Management
October 17, 2024Black Hat Europe - December 9-12 - Learn More
December 10, 2024SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
October 22, 2024