Elise
Associated Software Descriptions |
|
Name | Description |
---|---|
BKDR_ESILE | (Citation: Lotus Blossom Jun 2015) |
Page | (Citation: Lotus Blossom Jun 2015) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Elise executes |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Elise communicates over HTTP or HTTPS for C2.(Citation: Lotus Blossom Jun 2015) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Elise configures itself as a service.(Citation: Lotus Blossom Jun 2015) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Elise exfiltrates data using cookie values that are Base64-encoded.(Citation: Lotus Blossom Jun 2015) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Elise creates a file in |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Elise encrypts exfiltrated data with RC4.(Citation: Lotus Blossom Jun 2015) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Elise is capable of launching a remote shell on the host to delete itself.(Citation: Accenture Dragonfish Jan 2018) |
.006 | Indicator Removal: Timestomp |
Elise performs timestomping of a CAB file it creates.(Citation: Lotus Blossom Jun 2015) |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.(Citation: Lotus Blossom Jun 2015) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Elise encrypts several of its files, including configuration files.(Citation: Lotus Blossom Jun 2015) |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Elise injects DLL files into iexplore.exe.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.(Citation: Lotus Blossom Jun 2015) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0030 | Lotus Blossom |
(Citation: Spring Dragon Jun 2015) (Citation: Accenture Dragonfish Jan 2018) |
References
- Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.