Software: Elise, BKDR_ESILE, Page

From enterprise
Jump to: navigation, search
Elise, BKDR_ESILE, Page
Software
ID S0081
Aliases Elise, BKDR_ESILE, Page
Type Malware

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.1

Techniques Used

  • Masquerading - If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.1
  • Registry Run Keys / Start Folder - If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry key for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]. 1
  • Account Discovery - Elise executes net user after initial communication is made to the remote server.1
  • Data Encoding - Elise exfiltrates data using cookie values that are Base64-encoded.1
  • Rundll32 - After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.1
  • Timestomp - Elise performs timestomping of a CAB file it creates.1

Groups

The following groups use this software: