Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Emissary
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Emissary
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Emissary

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)
ID: S0082
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 09 Aug 2021

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Emissary uses HTTP or HTTPS for C2.(Citation: Lotus Blossom Dec 2015)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Variants of Emissary have added Run Registry keys to establish persistence.(Citation: Emissary Trojan Feb 2016)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Emissary has the capability to create a remote shell and execute specified commands.(Citation: Lotus Blossom Dec 2015)
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Emissary is capable of configuring itself as a service.(Citation: Emissary Trojan Feb 2016)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.(Citation: Lotus Blossom Dec 2015)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.(Citation: Emissary Trojan Feb 2016)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Emissary has the capability to execute the command net localgroup administrators.(Citation: Emissary Trojan Feb 2016)
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Emissary injects its DLL file into a newly spawned Internet Explorer process.(Citation: Lotus Blossom Dec 2015)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.(Citation: Emissary Trojan Feb 2016)

Groups That Use This Software
ID Name References
G0030 Lotus Blossom

(Citation: Lotus Blossom Dec 2015) (Citation: Emissary Trojan Feb 2016)

References

  1. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  2. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.