1. Home
  2. Software
  3. Elise

Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group oftools referred to as LStudio, ST Group, and APT0LSTU. [1][2]

ID: S0081
Associated Software: BKDR_ESILE, Page
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
BKDR_ESILE

[1]
Page

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Elise configures itself as a service.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Elise encrypts exfiltrated data with RC4.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

Elise communicates over HTTP or HTTPS for C2.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.[2]
Enterprise T1132 .001 数据编码: Standard Encoding

Elise exfiltrates data using cookie values that are Base64-encoded.[1]
Enterprise T1083 文件和目录发现

A variant of Elise executes dir C:\progra~1 when initially run.[1][2]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Elise encrypts several of its files, including configuration files.[1]
Enterprise T1070 .004 移除指标: File Deletion

Elise is capable of launching a remote shell on the host to delete itself.[2]
.006 移除指标: Timestomp

Elise performs timestomping of a CAB file it creates.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[1]
Enterprise T1082 系统信息发现

Elise executes systeminfo after initial communication is made to the remote server.[1]
Enterprise T1007 系统服务发现

Elise executes net start after initial communication is made to the remote server.[1]
Enterprise T1016 系统网络配置发现

Elise executes ipconfig /all after initial communication is made to the remote server.[1][2]
Enterprise T1087 .001 账号发现: Local Account

Elise executes net user after initial communication is made to the remote server.[1]
Enterprise T1105 输入工具传输

Elise can download additional files from the C2 server for execution.[2]
Enterprise T1057 进程发现

Elise enumerates processes via the tasklist command.[2]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Elise injects DLL files into iexplore.exe.[1][2]

Groups That Use This Software

ID Name References
G0030 Lotus Blossom

[3][2]

References

  1. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  2. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  1. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.