Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [1][2]

ID: S0081
Associated Software: BKDR_ESILE, Page

Type: MALWARE
Platforms: Windows

Version: 1.1

Associated Software Descriptions

NameDescription
BKDR_ESILE[1]
Page[1]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryElise executes net user after initial communication is made to the remote server.[1]
EnterpriseT1132Data EncodingElise exfiltrates data using cookie values that are Base64-encoded.[1]
EnterpriseT1074Data StagedElise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.[2]
EnterpriseT1083File and Directory DiscoveryA variant of Elise executes dir C:\progra~1 when initially run.
EnterpriseT1107File DeletionElise is capable of launching a remote shell on the host to delete itself.[2]
EnterpriseT1036MasqueradingIf installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[1]
EnterpriseT1050New ServiceElise configures itself as a service.[1]
EnterpriseT1027Obfuscated Files or InformationElise encrypts several of its files, including configuration files.[1]
EnterpriseT1057Process DiscoveryElise enumerates processes via the tasklist command.[2]
EnterpriseT1055Process InjectionElise injects DLL files into iexplore.exe.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderIf establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.[1][2]
EnterpriseT1105Remote File CopyElise can download additional files from the C2 server for execution.[2]
EnterpriseT1085Rundll32After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[1]
EnterpriseT1071Standard Application Layer ProtocolElise communicates over HTTP or HTTPS for C2.[1]
EnterpriseT1032Standard Cryptographic ProtocolElise encrypts exfiltrated data with RC4.[1]
EnterpriseT1082System Information DiscoveryElise executes systeminfo after initial communication is made to the remote server.[1]
EnterpriseT1016System Network Configuration DiscoveryElise executes ipconfig /all after initial communication is made to the remote server.[1][2]
EnterpriseT1007System Service DiscoveryElise executes net start after initial communication is made to the remote server.[1]
EnterpriseT1099TimestompElise performs timestomping of a CAB file it creates.[1]

Groups

Groups that use this software:

Lotus Blossom

References