A recent report by Cisco Talos revealed the activities of a cyber espionage threat actor known as LilacSquid, or UAT-4820. LilacSquid targets organizations in various sectors across the US, Europe, and Asia by exploiting vulnerable web applications or using compromised Remote Desktop Protection credentials to infect systems with custom PurpleInk malware. The threat actor has similarities to North Korea’s advanced persistent threat groups, Andariel and Lazarus, in terms of tactics, techniques, and procedures.
LilacSquid uses MeshAgent software to maintain access after initial compromise and employs proxy and tunneling tools to connect with Lazarus and share resources. The threat actor’s initial access methods include exploiting vulnerable web applications and using compromised RDP credentials to deploy MeshAgent and execute PurpleInk malware implants. PurpleInk, based on QuasarRAT, collects system information, launches remote shells, and communicates with remote addresses.
To mitigate the cybersecurity risk posed by LilacSquid, organizations should keep web applications updated and patched, implement strict RDP policies with multi-factor authentication, monitor network communications for suspicious activity, and raise employee awareness about cyber threats. Deployment of endpoint detection solutions is recommended to detect malicious activities.
Article Source
https://www.techrepublic.com/article/cisco-talos-lilacsquid-purpleink-malware/
