Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [1]
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1009 | Binary Padding |
A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.[2] |
Enterprise | T1059 | Command-Line Interface |
Emissary has the capability to create a remote shell and execute specified commands.[1] |
Enterprise | T1024 | Custom Cryptographic Protocol |
The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.[1] |
Enterprise | T1050 | New Service | |
Enterprise | T1027 | Obfuscated Files or Information |
Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.[1][2] |
Enterprise | T1069 | Permission Groups Discovery |
Emissary has the capability to execute the command |
Enterprise | T1055 | Process Injection |
Emissary injects its DLL file into a newly spawned Internet Explorer process.[1] |
Enterprise | T1060 | Registry Run Keys / Startup Folder |
Variants of Emissary have added Run Registry keys to establish persistence.[2] |
Enterprise | T1105 | Remote File Copy |
Emissary has the capability to download files from the C2 server.[1] |
Enterprise | T1085 | Rundll32 |
Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.[2] |
Enterprise | T1071 | Standard Application Layer Protocol | |
Enterprise | T1082 | System Information Discovery |
Emissary has the capability to execute ver, systeminfo, and gpresult commands.[2] |
Enterprise | T1016 | System Network Configuration Discovery |
Emissary has the capability to execute the command |
Enterprise | T1007 | System Service Discovery |
Emissary has the capability to execute the command |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0030 | Lotus Blossom | [1] [2] |