May 30, 2024 at 12:09PM
Summary:
A new cyber espionage threat actor called LilacSquid has been conducting targeted attacks in the US, Europe, and Asia since 2021, aiming to steal data from various sectors. The actor deploys a mix of open-source tools and custom malware, including a distinctive variant of Quasar RAT codenamed PurpleInk. This campaign shares similarities with North Korean APT groups.
Key Takeaways from Meeting Notes:
1. A new cyber espionage-focused threat actor named LilacSquid has been discovered, engaging in targeted attacks across the U.S., Europe, and Asia since at least 2021.
2. The targets of LilacSquid’s campaign include information technology, energy, and pharmaceutical sectors, indicating a broad victimology footprint.
3. LilacSquid’s attack chains exploit known vulnerabilities or compromised remote desktop protocol (RDP) credentials to deploy a mix of open-source tools and custom malware.
4. The use of an open-source remote management tool called MeshAgent to deliver a bespoke version of Quasar RAT codenamed PurpleInk is a distinctive feature of LilacSquid’s campaign.
5. LilacSquid also makes use of a .NET-based loader called InkLoader to deploy PurpleInk in certain scenarios.
6. PurpleInk, actively maintained by LilacSquid since 2021, is heavily obfuscated and versatile, allowing it to perform various malicious actions.
7. LilacSquid has incorporated tactics previously seen in attacks by North Korean APT groups, such as the use of MeshAgent, tunneling tools like Secure Socket Funneling (SSF), and maintaining secondary access to infrastructure.
Please let me know if there are any additional details you would like to include or any specific actions needed based on these takeaways.