CTI Roundup: TargetCompany Ransomware, LilacSquid Cyber Espionage, & DarkGate Malware

In this week’s roundup, CTI explains how the TargetCompany ransomware operation is threatening ESXi servers with a new Linux variant. Next up, CTI investigates a previously undocumented espionage actor, now tracked as LilacSquid, which is being linked to several attacks across the United States, Europe, and Asia. Finally, CTI explores how DarkGate threat actors are starting to move away from AutoIt scripts and pivoting to an AutoHotkey to execute the final payload.

1. TargetCompany’s Linux variant threatens ESXi environments with new methods

The TargetCompany ransomware operation is now going after ESXi servers with a new Linux variant.

The latest variant uses a custom shell script to deliver and execute payloads and exfiltrates data to two different attacker-controlled servers for backup purposes.

What is TargetCompany?

The TargetCompany ransomware group was first discovered in 2021 and maintains a data leak site under the name “Mallox.”

Like many ransomware operations, TargetCompany has continued to evolve its tactics, techniques, and procedures (TTPs), introducing things like PowerShell scripts to bypass the Antimalware Scan Interface (AMSI) and abusing fully undetectable (FUD) obfuscator packers.

Trend Micro discovered the operation’s Linux variant during a threat hunt engagement.

TargetCompany’s Linux variant

The Linux variant will check to determine whether the executable has administrative rights. It will only proceed if it has administrative access.

Once it’s executed, it will drop a file containing victim information called “TargetInfo.txt.” The contents of this file are also sent to a C2 server as a file called “ap.php.” This behavior is similar to TargetCompany’s Windows variant.

Targeting ESXi environments

TargetCompany is now going after virtualization servers to cause more damage and disruption.

The variant can determine if a machine is running in a VMware ESXi environment. If the system is running in VMware’s ESXi hypervisor, files with the following extensions will be encrypted: vmdk, vmem, vswp, vmsn, vmx, and nvram. The variant will update the encrypted files with “.locked” and drop a ransom note.

Shell script execution

Trend Micro’s investigation into the payload found that a shell script is used to both download and execute the ransomware payload. The script is custom-made specifically to execute this variant. This script is also capable of exfiltrating data to a server.

As noted, this variant sends stolen data to two different servers, which researchers believe is for redundancy purposes. The script will then delete the TargetCompany payload.

Analyst comments from Tanium’s Cyber Threat Intelligence team

TargetCompany seems to be going after Linux environments to increase its target pool. At the same time, TargetCompany is exfiltrating data to two different servers to improve its chances of success — most likely to provide a backup server in case one gets compromised or becomes unavailable. This could be in response to the increased number of law enforcement takedown efforts that have happened over the last few months.

2. LilacSquid targets multiple sectors

A previously undocumented espionage actor, now tracked as LilacSquid, is being linked to several attacks across the U.S., Europe, and Asia.

The LilacSquid campaign seeks to establish long-term access with the goal of stealing data of interest. The attacks use an open-source remote management tool along with a customized version of QuasarRAT after compromising vulnerable application servers or using compromised RDP credentials.

What is LilacSquid?

This espionage-focused threat actor is believed to have been active since at least 2021 and tends to play the long game, establishing long-term access for data theft.

• Cisco Talos has reported at least three successful compromises by this threat actor.
• For initial access, this actor will either exploit vulnerabilities or use compromised RDP credentials.
• After obtaining access, the actor will use an open-source remote management application, MeshAgent, and a custom QuasarRAT variant tracked as PurpleInk.

LilacSquid’s infection chains

The first LilacSquid infection chain begins with the exploitation of a vulnerable web app, while the second starts with the use of compromised RDP credentials.

In both cases, successful compromise will result in the deployment of dual-use tools like MeshAgent, SSF, InkLoader, and PurpleInk, which is a heavily customized version of QuasarRAT. PurpleInk has been under active development since 2021 and has continued to evolve into its own malware. The malware is obfuscated and has many RAT capabilities, including the ability to enumerate processes and send data to the C2, terminate a process, run a new application, get drive information, enumerate a given directory, read a file specified by a C2 and then exfiltrate the content, and replace or append content to a specified file.

The malware also has several ways to communicate with its proxy servers, like connecting to a new server, sending data to a new or existing proxy server, disconnecting, and receiving data from another connected proxy server and processing it.

Analyst comments from Tanium’s Cyber Threat Intelligence team

LilacSquid’s use of MeshAgent overlaps with another North Korean threat actor called Andariel, which is a subgroup within the Lazarus Group. Other overlaps in TTPs with this group certainly raise an eyebrow, but a definitive connection has not yet been made. However, the Lazarus Group has previously carried out large supply chain attacks like 3CX that were made possible because of their unauthorized long-term access.

That said, LilacSquid’s goal of maintaining long-term access could expand beyond espionage efforts and ‘can open avenues of supply chain compromise.’

3. DarkGate malware replaces AutoIt with AutoHotkey in latest attacks

According to Trellix, attacks leveraging DarkGate malware are starting to move away from AutoIt scripts and pivoting to an AutoHotkey toolkit to execute the final payload.

A deeper dive into campaigns using this new technique also uncovered some servers that had both DarkGate and PikaBot samples, indicating that the author may be leveraging one as a backup to the other.

The developer of the DarkGate MaaS, RastaFarEye, was banned from several underground forums towards the end of 2023 due to several complaints about the offerings. Even with this, DarkGate malware has continued to be distributed and observed in the wild. RastaFarEye is believed to have adopted other monikers to continue selling its offering along with new products.

DarkGate’s execution chain

DarkGate campaigns change frequently to adapt to the changing threat landscape. For example, the malware has previously leveraged AutoIt3 or DLL side loading to deploy the final payload. In more recent campaigns, the malware is leveraging AutoHotkey, a scripting interpreter, to launch the malware in three stages:

1. The first stage of the attack varies from each campaign. In the latest campaigns, the actor is using phishing emails with Excel or HTML-attached documents that encourage the victim to click a button that will download a VBScript macro.
2. The second stage is the VBScript, which contains just four lines of real code that are responsible for executing a PowerShell command.
3. The third stage is the PowerShell script, which is responsible for downloading three files: the legitimate AutoHotkey interpreter, an AutoHotkey script, and a plain text file. These files are responsible for obtaining the DarkGate payload.

About DarkGate v6

DarkGate v6 has received the biggest update since the fourth version, with modifications made to the configuration, evasion techniques, and supported commands. The biggest change is the restructuring of the entire main code and how the commands get processed.

Analyst comments from Tanium’s Cyber Threat Intelligence team

DarkGate malware is continuing to evolve and keep up with changing trends, as evidenced by the shift away from AutoIt.

What’s interesting is that these campaigns still rely on a user’s manual interaction to enable macros within a document to kick off the infection chain. So, while the malware itself may be evolving, the attack chain — or at least initial access — seems to be behind.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.