The stealthy trilogy of PurpleInk, InkBox and InkLoader

May 30, 2024, 3:32 p.m.

Description

A new data theft campaign, attributed to an advanced persistent threat actor dubbed 'LilacSquid', has been active since at least 2021. The campaign targets diverse victims across various sectors in the United States, Europe, and Asia. It employs MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT called 'PurpleInk' as primary implants after compromising vulnerable internet-facing application servers. LilacSquid leverages vulnerabilities and compromised RDP credentials to deploy tools like MeshAgent, SSF, PurpleInk, and two malware loaders called 'InkBox' and 'InkLoader' for establishing long-term access and data exfiltration.

Date

Published: May 30, 2024, 3:12 p.m.

Created: May 30, 2024, 3:12 p.m.

Modified: May 30, 2024, 3:32 p.m.

Indicators

2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

67.213.221.6

45.9.251.14

199.229.250.142

Attack Patterns

MeshAgent

InkLoader

InkBox

PurpleInk

LilacSquid

T1043

T1086

T1048

T1008

T1490

T1064

T1567

T1012

T1095

T1087

T1021

T1070

T1574

T1057

T1105

T1055

T1033

T1027

T1041

T1059

Additional Informations

Pharmaceutical

Technology

Energy

United States of America