The stealthy trilogy of PurpleInk, InkBox and InkLoader

May 30, 2024, 3:32 p.m.

Description

A new data theft campaign, attributed to an advanced persistent threat actor dubbed 'LilacSquid', has been active since at least 2021. The campaign targets diverse victims across various sectors in the United States, Europe, and Asia. It employs MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT called 'PurpleInk' as primary implants after compromising vulnerable internet-facing application servers. LilacSquid leverages vulnerabilities and compromised RDP credentials to deploy tools like MeshAgent, SSF, PurpleInk, and two malware loaders called 'InkBox' and 'InkLoader' for establishing long-term access and data exfiltration.

External References

https://blog.talosintelligence.com/lilacsquid/
https://otx.alienvault.com/pulse/66589767e3778cd972bcc753
Tags
2024-05-30
purpleink
inkloader

Date

  • Created: May 30, 2024, 3:12 p.m.
  • Published: May 30, 2024, 3:12 p.m.
  • Modified: May 30, 2024, 3:32 p.m.

Indicators

  • 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8
  • 67.213.221.6
  • 45.9.251.14
  • 199.229.250.142
Download all indicators here!

Attack Patterns

  • MeshAgent
  • InkLoader
  • InkBox
  • PurpleInk
  • LilacSquid

Additional Informations

  • Pharmaceutical
  • Technology
  • Energy
  • United States of America