Software: Emissary

From enterprise
Jump to: navigation, search
ID S0082
Aliases Emissary
Type Malware

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio.1

Alias Descriptions

  • Emissary - 1

Techniques Used

  • Obfuscated Files or Information - Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.12
  • Process Injection - Emissary injects its DLL file into a newly spawned Internet Explorer process.1
  • Custom Cryptographic Protocol - The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.1
  • Remote File Copy - Emissary has the capability to download files from the C2 server.1
  • New Service - Emissary is capable of configuring itself as a service.2
  • Binary Padding - A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.2
  • Rundll32 - Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.2


The following groups use this software: