Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [1]

ID: S0081
Aliases: Elise, BKDR_ESILE, Page
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryElise executes net user after initial communication is made to the remote server.[1]
EnterpriseT1132Data EncodingElise exfiltrates data using cookie values that are Base64-encoded.[1]
EnterpriseT1083File and Directory DiscoveryA variant of Elise executes dir C:\progra~1 when initially run.[1]
EnterpriseT1036MasqueradingIf installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[1]
EnterpriseT1050New ServiceElise configures itself as a service.[1]
EnterpriseT1027Obfuscated Files or InformationElise encrypts several of its files, including configuration files.[1]
EnterpriseT1055Process InjectionElise injects DLL files into iexplore.exe.[1]
EnterpriseT1060Registry Run Keys / Startup FolderIf establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry key for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self].[1]
EnterpriseT1085Rundll32After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[1]
EnterpriseT1071Standard Application Layer ProtocolElise communicates over HTTP or HTTPS for C2.[1]
EnterpriseT1032Standard Cryptographic ProtocolElise encrypts exfiltrated data with RC4.[1]
EnterpriseT1082System Information DiscoveryElise executes systeminfo after initial communication is made to the remote server.[1]
EnterpriseT1016System Network Configuration DiscoveryElise executes ipconfig /all after initial communication is made to the remote server.[1]
EnterpriseT1007System Service DiscoveryElise executes net start after initial communication is made to the remote server.[1]
EnterpriseT1099TimestompElise performs timestomping of a CAB file it creates.[1]

Groups

Groups that use this software:

Lotus Blossom

References