Ink Trails by LilacSquid: PurpleInk, InkBox, and InkLoader

Diving into details

• This campaign employs MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT, dubbed PurpleInk, as primary implants after compromising vulnerable application servers exposed to the internet.
• The data theft campaign exploits vulnerabilities in public-facing application servers and compromised RDP credentials to deploy various open-source tools, such as MeshAgent and SSF. Apart from PurpleInk, the threat actor uses two malware loaders named InkBox and InkLoader.
• Notably, multiple TTPs in this campaign overlap with North Korean APT groups, such as Andariel and its parent group, Lazarus.

Why this matters

• The campaign aims to establish long-term access to compromised organizations, enabling LilacSquid to siphon data to attacker-controlled servers.
• Successful exploitation of the vulnerable application results in the deployment of a script that sets up working directories for the malware and then downloads and executes MeshAgent from a remote server. 
• On execution, MeshAgent connects to its C2, carries out preliminary reconnaissance, and begins downloading and activating other implants on the system, such as SSF and PurpleInk.
• Talos observed LilacSquid deploying InkLoader in conjunction with PurpleInk only when it could successfully create and maintain remote sessions via RDP by exploiting stolen credentials for the target host. 
• A successful RDP login leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk, and subsequently registering InkLoader as a service that starts to deploy InkLoader and, in turn, PurpleInk.

The bottom line