U.S.-based IT software providers for the industrial and research sectors, European energy firms, and Asian pharmaceutical entities have been subjected to data exfiltration attacks by advanced persistent threat operation LilacSquid as part of a cyberespionage campaign that commenced in 2021, according to The Hacker News.
Intrusions involved the exploitation of known software bugs and breached remote desktop protocol credentials, with attackers either launching the MeshAgent open-source remote management tool or InkLoader to facilitate the distribution of the PurpleInk malware, which is a custom version of the QuasarRAT trojan, a report from Cisco Talos revealed.
Aside from enabling the execution of new applications and file operations, PurpleInk also allows remote shell deployment, directory and process enumeration, system information gathering, and command-and-control server communications, said researchers, who also noted similarities between the attack techniques and tools used by LilacSquid and Lazarus Group sub-cluster Andariel, including the use of MeshAgent and Secure Socket Funneling.
