LilacSquid APT Employs Open Source Tools, QuasarRAT

The previously unknown threat actor uses tools similar to those used by North Korean APT groups, according to Cisco Talos.

Dark Reading Staff, Dark Reading

May 31, 2024

2 Min Read
Caribbean Reef Squid at night on reef.
Source: Stocktrek Images Inc via Alamy Stock Photo

Researchers have linked a previously unknown advanced persistent threat actor to data exfiltration attacks spanning various sectors in the United States, Europe. Some tactics associated with LilacSquid overlap with those used by Andariel, a North Korean threat actor that acts as a sub-cluster within the Lazarus Group.

According to Cisco Talos, the group's methods for initial compromise include exploiting publicly known vulnerabilities to breach Internet-facing application servers as well as using stolen remote desktop protocol credentials. Once the system is compromised, LilacSquid launches multiple open source tools such as open source remote management tool MeshAgent to connect to an attacker-controlled command-and-control server and conduct reconnaissance activities. LilacSquid also uses InkLoader, a .NET-based loader, to read from a hardcoded file path on disk and decrypt contents.

MeshAgent and InkLoader are used drop custom malware such as PurpleInk, a custom version of the QuasarRAT Trojan. PurpleInk is both heavily obfuscated and versatile, and can run new applications, perform file operations, collect system information, enumerate directories and running processes, launch a remote shell, and connect to a specific remote address specified by a command-and-control server.

LilacSquid has also employed Secure Socket Funneling (SSF) to establish tunnels to remote servers.

The tactics, techniques, and procedures used by LilacSquid are similar to those of North Korean APT groups. Andariel is known for using MeshAgent to maintain post-compromise access. Lazarus extensively employs SOCKs proxy and tunnel tools and custom malware for secondary access and data exfiltration.

LilacSquid, which has been operating since at least 20201, focuses on establishing long-term access to compromised organizations to steal valuable data to attacker-controlled servers, Cisco Talos researchers said. Targeted organizations include information technology organizations building software for the research and industrial sectors in the US, energy companies in Europe, and the pharmaceutical sector in Asia.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights