Register to stream ATT&CKcon 2.0 October 29-30


Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. [1][2]

ID: S0081
Associated Software: BKDR_ESILE, Page
Platforms: Windows
Version: 1.1

Associated Software Descriptions

Name Description
Page [1]

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery Elise executes net user after initial communication is made to the remote server. [1]
Enterprise T1132 Data Encoding Elise exfiltrates data using cookie values that are Base64-encoded. [1]
Enterprise T1074 Data Staged Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file. [2]
Enterprise T1083 File and Directory Discovery A variant of Elise executes dir C:\progra~1 when initially run.
Enterprise T1107 File Deletion Elise is capable of launching a remote shell on the host to delete itself. [2]
Enterprise T1036 Masquerading If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network. [1]
Enterprise T1050 New Service Elise configures itself as a service. [1]
Enterprise T1027 Obfuscated Files or Information Elise encrypts several of its files, including configuration files. [1]
Enterprise T1057 Process Discovery Elise enumerates processes via the tasklist command. [2]
Enterprise T1055 Process Injection Elise injects DLL files into iexplore.exe. [1] [2]
Enterprise T1060 Registry Run Keys / Startup Folder If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD. [1] [2]
Enterprise T1105 Remote File Copy Elise can download additional files from the C2 server for execution. [2]
Enterprise T1085 Rundll32 After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe. [1]
Enterprise T1071 Standard Application Layer Protocol Elise communicates over HTTP or HTTPS for C2. [1]
Enterprise T1032 Standard Cryptographic Protocol Elise encrypts exfiltrated data with RC4. [1]
Enterprise T1082 System Information Discovery Elise executes systeminfo after initial communication is made to the remote server. [1]
Enterprise T1016 System Network Configuration Discovery Elise executes ipconfig /all after initial communication is made to the remote server. [1] [2]
Enterprise T1007 System Service Discovery Elise executes net start after initial communication is made to the remote server. [1]
Enterprise T1099 Timestomp Elise performs timestomping of a CAB file it creates. [1]

Groups That Use This Software

ID Name References
G0030 Lotus Blossom [3] [2]