Emissary
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Emissary uses HTTP or HTTPS for C2.(Citation: Lotus Blossom Dec 2015) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Variants of Emissary have added Run Registry keys to establish persistence.(Citation: Emissary Trojan Feb 2016) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Emissary has the capability to create a remote shell and execute specified commands.(Citation: Lotus Blossom Dec 2015) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Emissary is capable of configuring itself as a service.(Citation: Emissary Trojan Feb 2016) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.(Citation: Lotus Blossom Dec 2015) |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.(Citation: Emissary Trojan Feb 2016) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.(Citation: Lotus Blossom Dec 2015)(Citation: Emissary Trojan Feb 2016) |
||
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Emissary has the capability to execute the command |
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Emissary injects its DLL file into a newly spawned Internet Explorer process.(Citation: Lotus Blossom Dec 2015) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.(Citation: Emissary Trojan Feb 2016) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0030 | Lotus Blossom |
(Citation: Lotus Blossom Dec 2015) (Citation: Emissary Trojan Feb 2016) |
References
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.