May 31, 2024 at 11:33AM
Researchers uncovered a new cybercrime group, LilacSquid, exhibiting espionage-focused behavior akin to other North Korean state-sponsored groups. LilacSquid has targeted organizations in the US, Europe, and Asia, successfully breaching software, oil and gas, and pharmaceutical companies. The group deploys customized malware, including the heavily obfuscated PurpleInk, to evade detection.
From the meeting notes, it appears that the Infosec researchers have uncovered a previously unknown cybercrime group named LilacSquid that has been operating for three years, engaging in espionage-focused activities across the US, Europe, and Asia. The group has successfully carried out intrusions at a software company in the US, an organization in the oil and gas industry in Europe, and a pharmaceutical business in Asia.
LilacSquid’s modus operandi involves stealing sensitive data to remain undetected for extended periods. This is achieved by targeting information related to intellectual properties, projects, and finances. The group’s activities bear some similarities to other North Korean state-sponsored cyber groups, such as Andariel and Lazarus, known for their involvement in cyberespionage and data theft. Notably, LilacSquid has been observed utilizing a customized version of QuasarRAT, named PurpleInk, to carry out its operations.
The group employs various techniques, including the deployment of MeshAgent, proxying and tunneling tools, and abusing legitimate remote desktop protocol (RDP) credentials. These methods are used to execute the infection chain, allowing LilacSquid to compromise targeted systems and maintain remote access.
Furthermore, it has been noted that LilacSquid continuously evolves its malware, with the more recent versions containing a limited number of features to evade detection. The group’s adaptability and utilization of existing malware families enable it to minimize development efforts and mitigate traditional detection mechanisms.
In summary, LilacSquid represents a significant cybersecurity threat due to its sophisticated tactics and is capable of carrying out targeted attacks across different industries and regions. The group’s use of advanced malware and the ability to adapt its strategies for evading detection necessitates vigilant monitoring and robust security measures within organizations to counter its activities effectively.