Sunday, November 24, 2024
HomeCyber AttackLilacSquid Hackers Attacking IT Industries To Harvest Confidential Data

LilacSquid Hackers Attacking IT Industries To Harvest Confidential Data

Published on

Hackers target IT industries as they hold valuable data, possess critical infrastructure, and often have access to sensitive information from various sectors. 

Compromising IT companies can provide hackers with high-impact opportunities for espionage, financial gain, and disruption of essential services.

Recently, cybersecurity researchers at Cisco Talos detected that LilacSquid hackers have been actively attacking the IT industries to harvest confidential data.

- Advertisement - SIEM as a Service

LilacSquid Hackers Attacking IT Industries

Talos is confident that the “LilacSquid” APT group has been conducting a data theft campaign since at least 2021, successfully compromising targets in the pharmaceuticals, oil, gas, and technological industries across Asia, Europe, and the U.S. 

Initial access leveraged vulnerabilities and stolen RDP credentials. Post-compromise, LilacSquid deployed the MeshAgent remote access tool, a customized “PurpleInk” variant of QuasarRAT, and open-source proxying tools like SSF, overlapping with TTPs from North Korean groups like Lazarus and Andariel.

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo 

The campaign establishes longstanding access for data exfiltration, and prior supply chain compromises highlight risks from this type of persistent, advanced threat.

LilacSquid employs two main ways to initiate infections:-

  • Hacking vulnerable web apps
  • Stolen RDP credentials

After breaching, they use programs like MeshAgent for remote access, SSF for secure tunneling and customized malware InkLoader, PurpleInk RAT etc.

During application exploitation, MeshAgent acts as a first point of compromise to allow for the delivery of other implants.

They set up persistence before deploying PurpleInk by placing InkLoader first in reboots when using hacked RDP logins.

This stratified method creates multiple routes of duplicative approaches and techniques that APT uses for information stealing across victims.

LilacSquid’s initial access & activity (Source – Cisco Talos)

PurpleInk is the flagship malware of LilacSquid, a dynamic QuasarRAT variant first seen in 2021. 

This rat is heavily disguised and flexible enough to kill processes, execute code, steal files, collect system details, and pass connections through affected hosts acting as relays. 

However, recent samples in the years of 2023 and 2024 are slighter having sacrificed functions like file management possibly for the sake of stealthiness or evading detection.

This malware’s mainstay features have been maintained through its core reverse shell and proxy ability, showing how threat actors adapt their malware’s functionality iteratively according to operational necessities.

LilacSquid uses a multi-stage infection chain that consists of several malware components. InkBox is a loader that decrypts and executes PurpleInk backdoor payloads.

A different method involves InkLoader, which has run PurpleInk in a separate process since 2023. MeshAgent is an open-source remote management tool commonly used as an initial foothold for deployment using configuration files containing victim identifiers and C2 addresses.

Once compromised, MeshAgent enables further distribution of malware such as SSF or PurpleInk to infected systems, allowing the APT group wide-ranging capabilities for remote access.

This modular approach allows LilacSquid to create redundant access points while hiding their activity.

IOCs

PurpleInk:

  • 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8 

Network IOCs:

  • 67[.]213[.]221[.]6 
  • 192[.]145[.]127[.]190 
  • 45[.]9[.]251[.]14 
  • 199[.]229[.]250[.]142

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...