# Software: Emissary

Emissary
Software
ID S0082
Aliases Emissary
Type Malware

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.1

• Emissary - 1

## Techniques Used

• Obfuscated Files or Information - Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.12
• Process Injection - Emissary injects its DLL file into a newly spawned Internet Explorer process.1
• Custom Cryptographic Protocol - The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.1
• Remote File Copy - Emissary has the capability to download files from the C2 server.1
• New Service - Emissary is capable of configuring itself as a service.2
• System Service Discovery - Emissary has the capability to execute the command net start to interact with services.2
• Binary Padding - A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.2
• Rundll32 - Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.2

## Groups

The following groups use this software: