Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [1][2]

ID: S0081
Associated Software: BKDR_ESILE, Page
Type: MALWARE
Platforms: Windows
Version: 1.1

Associated Software Descriptions

Name Description
BKDR_ESILE [1]
Page [1]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery Elise executes net user after initial communication is made to the remote server.[1]
Enterprise T1132 Data Encoding Elise exfiltrates data using cookie values that are Base64-encoded.[1]
Enterprise T1074 Data Staged Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.[2]
Enterprise T1083 File and Directory Discovery A variant of Elise executes dir C:\progra~1 when initially run.
Enterprise T1107 File Deletion Elise is capable of launching a remote shell on the host to delete itself.[2]
Enterprise T1036 Masquerading If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[1]
Enterprise T1050 New Service Elise configures itself as a service.[1]
Enterprise T1027 Obfuscated Files or Information Elise encrypts several of its files, including configuration files.[1]
Enterprise T1057 Process Discovery Elise enumerates processes via the tasklist command.[2]
Enterprise T1055 Process Injection Elise injects DLL files into iexplore.exe.[1][2]
Enterprise T1060 Registry Run Keys / Startup Folder If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.[1][2]
Enterprise T1105 Remote File Copy Elise can download additional files from the C2 server for execution.[2]
Enterprise T1085 Rundll32 After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[1]
Enterprise T1071 Standard Application Layer Protocol Elise communicates over HTTP or HTTPS for C2.[1]
Enterprise T1032 Standard Cryptographic Protocol Elise encrypts exfiltrated data with RC4.[1]
Enterprise T1082 System Information Discovery Elise executes systeminfo after initial communication is made to the remote server.[1]
Enterprise T1016 System Network Configuration Discovery Elise executes ipconfig /all after initial communication is made to the remote server.[1][2]
Enterprise T1007 System Service Discovery Elise executes net start after initial communication is made to the remote server.[1]
Enterprise T1099 Timestomp Elise performs timestomping of a CAB file it creates.[1]

Groups

Groups that use this software:

Lotus Blossom

References