May 31, 2024 at 04:19PM
Researchers have tied LilacSquid, a new advanced persistent threat actor, to data exfiltration attacks across US, Europe. The group employs methods including exploiting known vulnerabilities, stealing remote desktop protocol credentials, and using open source tools like MeshAgent and InkLoader to establish control and deploy custom malware such as PurpleInk. LilacSquid focuses on long-term access to steal data from targeted sectors.
From the meeting notes, it is clear that a new advanced persistent threat actor named LilacSquid has been linked to data exfiltration attacks in the United States, Europe, and Asia. They use tactics similar to those used by Andariel, a North Korean threat actor within the Lazarus Group. LilacSquid’s methods for initial compromise include exploiting known vulnerabilities and using stolen credentials to breach Internet-facing application servers. Once compromised, they use open source tools such as MeshAgent and InkLoader to connect to an attacker-controlled server and deploy custom malware such as PurpleInk, which is heavily obfuscated and versatile. LilacSquid has also employed Secure Socket Funneling to establish tunnels to remote servers. The group targets organizations in the information technology, energy, and pharmaceutical sectors, aiming to steal valuable data. The tactics, techniques, and procedures used by LilacSquid are similar to those of North Korean APT groups. This information highlights the need for heightened cybersecurity measures to protect against such threats.