Since at least 2021, a data theft campaign involving targeted attacks across multiple industries in the United States (U.S.), Europe, and Asia has been associated with LilacSquid, a threat actor with a history of cyber espionage.

In a new technical analysis released today, Cisco Talos analyst Asheer Malhotra stated, ‘The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers.’

This might be of your interest! LockBit Ransomware Shut Down

Targets have a wide victimology footprint: they include information technology businesses that develop software for the industrial and research sectors in the United States, energy companies in Europe, and pharmaceutical companies in Asia.

Attack chains are known to use a combination of open-source tools and bespoke malware by making use of either publicly known vulnerabilities to compromise internet-facing application servers or hacked remote desktop protocol (RDP) credentials.

The most notable aspect of the campaign is the use of MeshAgent, an open-source remote management tool that acts as a conduit for the delivery of PurpleInk, a customized version of Quasar RAT.

A somewhat different approach is taken by threat actors in other infection methods that use compromised RDP credentials. In these procedures, they either drop PurpleInk using a.NET-based loader called InkLoader or install MeshAgent.

“A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk,” Malhotra explained.

Actively maintained since 2021 by LilacSquid, PurpleInk is highly obfuscated and versatile, capable of launching a remote shell, connecting to a specific remote address provided by a command-and-control (C2) server, running new applications, performing file operations, obtaining system information, enumerating directories and processes, and more.

According to Talos, it has discovered an additional unique utility named InkBox, which is purportedly employed by the enemy to introduce PurpleInk before InkLoader.

The fact that MeshAgent is a method that was previously used by a North Korean threat actor called Andariel, a sub-cluster inside the notorious Lazarus Group, in assaults against South Korean organizations, makes its inclusion in their post-compromise playbooks notable.

LilacSquid uses Secure Socket Funneling (SSF) to establish a communication route with its infrastructure, demonstrating another area of overlap with regards to the use of tunneling technologies to preserve secondary access.

“Multiple tactics, techniques, tools, and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus,” said Malhotra.