New Nork-ish cyberespionage outfit uncovered after three years

Infosec researchers revealed today a previously unknown cybercrime group that's been on the prowl for three years and is behaving like some of the more dangerous cyber baddies under Kim Jong-Un's watch.

Cisco Talos has been looking into the espionage-focused group they're calling LilacSquid after observing attacks on a variety of organizations in the US, Europe, and Asia. The Talos team has seen at least three successful break-ins at a software company (US), an organization in the oil and gas industry (Europe), and a pharma biz (Asia).

El Reg asked for specifics about these attacks and Asheer Malhotra, threat researcher at Cisco Talos, said all manner of sensitive files were in scope for the attackers, who could go undetected for significant lengths of time.

"LilacSquid tries to steal data of interest to the actor – such data may be specific to the type of victim and can range from information pertaining to any intellectual properties, projects, finances, etc," he said. 

"The intention of such compromises is to fly under the radar for as long as possible without being detected. APT operations such as the one conducted by LilacSquid can go undetected for years if organizations fail to monitor and block unauthorized activities in their environments."

The researchers said LilacSquid's tradecraft bears a few resemblances to that of other North Korean state-sponsored groups, such as Andariel and its parent Lazarus, but didn't go as far as firmly attributing the group to the hermit nation.

North Korea is known for its efforts to generate revenue through cybercrime – a focus of its operations in recent years that's involved tactics ranging from working legitimate, remote jobs at US tech companies to deploying full-scale ransomware attacks.

While it's generally seen as the least sophisticated of the four main adversarial nations to the West, it's still capable in other areas such as cyberespionage and data theft. As Lazarus has also proved in recent years, it's well-equipped to carry out advanced supply chain attacks, including those at 3CX and X_Trader.

Malhotra said the similarities between LilacSquid and more established Nork groups largely lie in the parallel use of open source, dual-use tools with bespoke malware to establish multiple streams of access to a single machine.

LilacSquid has been spotted dropping MeshAgent after compromising victims – an app to remotely control desktop sessions. The same software has also been used repeatedly by Andariel, a group known for its ransomware endeavors.

The newly uncovered group also extensively uses proxying and tunneling tools, such as Secure Socket Funneling (SSF) – as does Lazarus, Talos blogged. Lazarus is Kim's most advanced cybercrime outfit, and is roped in for the more technically demanding jobs, like supply chain attacks.

It's also known for deploying custom malware, as is LilacSquid, which has been spotted using what Talos calls PurpleInk – a "heavily customized version of QuasarRAT."

Although QuasarRAT has been around since at least 2014, the PurpleInk variant has been spread by LilacSquid since 2021 and has been continuously evolving since then. 

Talos said it's a "heavily obfuscated," "highly versatile implant", earlier versions of which included capabilities such as reading and exfiltrating specified files over C2, launching applications on the host, gathering various information about the host and its drives, process enumeration, file and directory deletion, starting remote shells, and more.

"The use of QuasarRAT may serve two purposes for the threat actor. Firstly, a ready-to-use, readily available malware family can be used to operationalize their campaigns relatively rapidly. Using existing malware families also helps the threat actor reduce their development efforts and thwart attribution at the same time," said Malhotra. 

"Secondly, customizing and heavily obfuscating existing malware families such as QuasarRAT enables threat actors to mitigate traditional detection mechanisms such as file signature-based detections."

More recent versions, deployed across 2023 and 2024, are more heavily stripped back and contain just a small number of features, likely as a means to evade detection. PurpleInk can still close connections to proxy servers, send and receive data from connected proxies, and crucially, create a reverse shell that can be used to carry out previous capabilities such as file management.

"Adversaries frequently strip, add, and stitch together functionalities to reduce their implant's footprint on the infected system to avoid detection or to improve their implementations to remove redundant capabilities," Talos' researchers said.

The PurpleInk malware is used across both primary LilacSquid infection chains – exploiting vulnerabilities in web apps and abusing legitimate remote desktop protocol (RDP) credentials.

When a web app is compromised, LilacSquid then runs a script that executes MeshAgent before deploying other implants on a system. 

The infection chain alters slightly when compromised RDP credentials are abused. LilacSquid either followed the previous routine of deploying MeshAgent and then other implants such as PurpleInk and SSF, or it deployed a different loader researchers call InkLoader, the researchers postulate.

• North Korea building cash reserves using ransomware, video games
• South Korea targets Moon and Mars landings after launching unified space agency
• Three cuffed for 'helping North Koreans' secure remote IT jobs in America
• Russia, Iran pose most aggressive threat to 2024 elections, say infoseccers

According to Talos' intelligence, InkLoader has only ever been seen deploying PurpleInk, but it's likely able to deploy other malware too.

"Talos observed LilacSquid deploy InkLoader in conjunction with PurpleInk only when they could successfully create and maintain remote sessions via RDP by exploiting the use of stolen credentials to the target host," Talos blogged.

"A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk."

Malhotra said LilacSquid doesn't have a preference for either infection method – "they use whatever gets them inside the enterprise." ®