Emissary

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [1]

ID: S0082
Aliases: Emissary
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
Emissary[1]

Techniques Used

DomainIDNameUse
EnterpriseT1009Binary PaddingA variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.[2]
EnterpriseT1059Command-Line InterfaceEmissary has the capability to create a remote shell and execute specified commands.[1]
EnterpriseT1024Custom Cryptographic ProtocolThe C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.[1]
EnterpriseT1050New ServiceEmissary is capable of configuring itself as a service.[2]
EnterpriseT1027Obfuscated Files or InformationVariants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.[1][2]
EnterpriseT1069Permission Groups DiscoveryEmissary has the capability to execute the command net localgroup administrators.[2]
EnterpriseT1055Process InjectionEmissary injects its DLL file into a newly spawned Internet Explorer process.[1]
EnterpriseT1060Registry Run Keys / Startup FolderVariants of Emissary have added Run Registry keys to establish persistence.[2]
EnterpriseT1105Remote File CopyEmissary has the capability to download files from the C2 server.[1]
EnterpriseT1085Rundll32Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.[2]
EnterpriseT1071Standard Application Layer ProtocolEmissary uses HTTP or HTTPS for C2.[1]
EnterpriseT1082System Information DiscoveryEmissary has the capability to execute ver, systeminfo, and gpresult commands.[2]
EnterpriseT1016System Network Configuration DiscoveryEmissary has the capability to execute the command ipconfig /all.[2]
EnterpriseT1007System Service DiscoveryEmissary has the capability to execute the command net start to interact with services.[2]

Groups

Groups that use this software:

Lotus Blossom

References