Researchers uncover LilacSquid: a new threat actor linked to data exfiltration attacks across multiple sectors

A new and mysterious threat actor named LilacSquid has been identified by researchers, linking them to data exfiltration attacks across various sectors in the United States, Europe. This previously unknown group has been associated with tactics similar to North Korean threat actor Andariel, a sub-cluster within the notorious Lazarus Group.

According to Cisco Talos, LilacSquid’s methods for initial compromise include exploiting known vulnerabilities and using stolen credentials to breach Internet-facing application servers. Once a system is breached, they utilize tools like MeshAgent and InkLoader to connect to a command-and-control server for reconnaissance activities. Additionally, LilacSquid deploys a custom version of the QuasarRAT Trojan called PurpleInk, capable of performing various malicious tasks such as collecting system information and launching remote shells.

Furthermore, LilacSquid has been using Secure Socket Funneling (SSF) to establish tunnels to remote servers, potentially to facilitate data exfiltration. The group focuses on maintaining long-term access to compromised organizations, aiming to steal valuable data for their own malicious use.

Targeted organizations include information technology firms in the US, energy companies in Europe, and the pharmaceutical sector in Asia. With their sophisticated tactics and focus on data exfiltration, LilacSquid poses a significant threat to organizations worldwide. Stay vigilant and ensure your systems are secure against such advanced persistent threats.