The stealthy trilogy of PurpleInk, InkBox and InkLoader
May 30, 2024, 3:32 p.m.
Tags
External References
Description
A new data theft campaign, attributed to an advanced persistent threat actor dubbed 'LilacSquid', has been active since at least 2021. The campaign targets diverse victims across various sectors in the United States, Europe, and Asia. It employs MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT called 'PurpleInk' as primary implants after compromising vulnerable internet-facing application servers. LilacSquid leverages vulnerabilities and compromised RDP credentials to deploy tools like MeshAgent, SSF, PurpleInk, and two malware loaders called 'InkBox' and 'InkLoader' for establishing long-term access and data exfiltration.
Date
Published: May 30, 2024, 3:12 p.m.
Created: May 30, 2024, 3:12 p.m.
Modified: May 30, 2024, 3:32 p.m.
Indicators
2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8
67.213.221.6
45.9.251.14
199.229.250.142
Attack Patterns
MeshAgent
InkLoader
InkBox
PurpleInk
LilacSquid
T1043
T1086
T1048
T1008
T1490
T1064
T1567
T1012
T1095
T1087
T1021
T1070
T1574
T1057
T1105
T1055
T1033
T1027
T1041
T1059
Additional Informations
Pharmaceutical
Technology
Energy
United States of America