Register to stream ATT&CKcon 2.0 October 29-30


Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. [1]

ID: S0082
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1009 Binary Padding A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan. [2]
Enterprise T1059 Command-Line Interface Emissary has the capability to create a remote shell and execute specified commands. [1]
Enterprise T1024 Custom Cryptographic Protocol The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data. [1]
Enterprise T1050 New Service Emissary is capable of configuring itself as a service. [2]
Enterprise T1027 Obfuscated Files or Information Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions. [1] [2]
Enterprise T1069 Permission Groups Discovery Emissary has the capability to execute the command net localgroup administrators. [2]
Enterprise T1055 Process Injection Emissary injects its DLL file into a newly spawned Internet Explorer process. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Variants of Emissary have added Run Registry keys to establish persistence. [2]
Enterprise T1105 Remote File Copy Emissary has the capability to download files from the C2 server. [1]
Enterprise T1085 Rundll32 Variants of Emissary have used rundll32.exe in Registry values added to establish persistence. [2]
Enterprise T1071 Standard Application Layer Protocol Emissary uses HTTP or HTTPS for C2. [1]
Enterprise T1082 System Information Discovery Emissary has the capability to execute ver, systeminfo, and gpresult commands. [2]
Enterprise T1016 System Network Configuration Discovery Emissary has the capability to execute the command ipconfig /all. [2]
Enterprise T1007 System Service Discovery Emissary has the capability to execute the command net start to interact with services. [2]

Groups That Use This Software

ID Name References
G0030 Lotus Blossom [1] [2]