LilacSquid APT Employs Open Source Tools, QuasarRAT

  /     /     /  
Publicated : 23/11/2024   Category : security


LilacSquid APT Employs Open Source Tools, QuasarRAT


The previously unknown threat actor uses tools similar to those used by North Korean APT groups, according to Cisco Talos.



Researchers have linked a previously unknown advanced persistent threat actor to data exfiltration attacks spanning various sectors in the United States, Europe. Some tactics associated with LilacSquid overlap with those used by
Andariel
, a North Korean threat actor that acts as a sub-cluster within the Lazarus Group.
According to Cisco Talos, the groups methods for initial compromise include exploiting publicly known vulnerabilities to breach Internet-facing application servers as well as using stolen remote desktop protocol credentials. Once the system is compromised, LilacSquid launches multiple open source tools such as open source remote management tool MeshAgent to connect to an attacker-controlled command-and-control server and conduct reconnaissance activities. LilacSquid also uses InkLoader, a .NET-based loader, to read from a hardcoded file path on disk and decrypt contents.
MeshAgent and InkLoader are used drop custom malware such as PurpleInk, a
custom version of the QuasarRAT Trojan
. PurpleInk is both heavily obfuscated and versatile, and can run new applications, perform file operations, collect system information, enumerate directories and running processes, launch a remote shell, and connect to a specific remote address specified by a command-and-control server.
LilacSquid has also employed Secure Socket Funneling (SSF) to establish tunnels to remote servers.
The tactics, techniques, and procedures used by LilacSquid are similar to those of North Korean APT groups. Andariel is known for using MeshAgent to maintain post-compromise access.
Lazarus extensively employs
SOCKs proxy and tunnel tools and custom malware for secondary access and data exfiltration.
LilacSquid, which has been operating since at least 20201, focuses on establishing long-term access to compromised organizations to steal valuable data to attacker-controlled servers,
Cisco Talos researchers said
. Targeted organizations include information technology organizations building software for the research and industrial sectors in the US, energy companies in Europe, and the pharmaceutical sector in Asia.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LilacSquid APT Employs Open Source Tools, QuasarRAT