Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group oftools referred to as LStudio, ST Group, and APT0LSTU. [1][2]

ID: S0081
Associated Software: BKDR_ESILE, Page
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 20 March 2020

Associated Software Descriptions

Name Description
BKDR_ESILE

[1]

Page

[1]

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Elise executes net user after initial communication is made to the remote server.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Elise communicates over HTTP or HTTPS for C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.[1][2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Elise configures itself as a service.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Elise exfiltrates data using cookie values that are Base64-encoded.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Elise encrypts exfiltrated data with RC4.[1]

Enterprise T1083 File and Directory Discovery

A variant of Elise executes dir C:\progra~1 when initially run.[1][2]

Enterprise T1070 .006 Indicator Removal on Host: Timestomp

Elise performs timestomping of a CAB file it creates.[1]

.004 Indicator Removal on Host: File Deletion

Elise is capable of launching a remote shell on the host to delete itself.[2]

Enterprise T1105 Ingress Tool Transfer

Elise can download additional files from the C2 server for execution.[2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[1]

Enterprise T1027 Obfuscated Files or Information

Elise encrypts several of its files, including configuration files.[1]

Enterprise T1057 Process Discovery

Elise enumerates processes via the tasklist command.[2]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Elise injects DLL files into iexplore.exe.[1][2]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[1]

Enterprise T1082 System Information Discovery

Elise executes systeminfo after initial communication is made to the remote server.[1]

Enterprise T1016 System Network Configuration Discovery

Elise executes ipconfig /all after initial communication is made to the remote server.[1][2]

Enterprise T1007 System Service Discovery

Elise executes net start after initial communication is made to the remote server.[1]

Groups That Use This Software

ID Name References
G0030 Lotus Blossom

[3][2]

References