1. Home
  2. Software
  3. Elise

Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group oftools referred to as LStudio, ST Group, and APT0LSTU. [1][2]

ID: S0081
Associated Software: BKDR_ESILE, Page
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 20 March 2020

Associated Software Descriptions

Name Description
BKDR_ESILE

[1]
Page

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Elise executes net user after initial communication is made to the remote server.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Elise communicates over HTTP or HTTPS for C2.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.[1][2]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Elise configures itself as a service.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Elise exfiltrates data using cookie values that are Base64-encoded.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.[2]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Elise encrypts exfiltrated data with RC4.[1]
Enterprise T1083 File and Directory Discovery

A variant of Elise executes dir C:\progra~1 when initially run.[1][2]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Elise is capable of launching a remote shell on the host to delete itself.[2]
.006 Indicator Removal on Host: Timestomp

Elise performs timestomping of a CAB file it creates.[1]
Enterprise T1105 Ingress Tool Transfer

Elise can download additional files from the C2 server for execution.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[1]
Enterprise T1027 Obfuscated Files or Information

Elise encrypts several of its files, including configuration files.[1]
Enterprise T1057 Process Discovery

Elise enumerates processes via the tasklist command.[2]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Elise injects DLL files into iexplore.exe.[1][2]
Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[1]
Enterprise T1082 System Information Discovery

Elise executes systeminfo after initial communication is made to the remote server.[1]
Enterprise T1016 System Network Configuration Discovery

Elise executes ipconfig /all after initial communication is made to the remote server.[1][2]
Enterprise T1007 System Service Discovery

Elise executes net start after initial communication is made to the remote server.[1]

Groups That Use This Software

ID Name References
G0030 Lotus Blossom

[3][2]

References

  1. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  2. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  1. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.