Skip to content

S0081 Elise

Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. 12

Item Value
ID S0081
Associated Names BKDR_ESILE, Page
Type MALWARE
Version 1.2
Created 31 May 2017
Last Modified 20 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
BKDR_ESILE 1
Page 1

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Elise executes net user after initial communication is made to the remote server.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Elise communicates over HTTP or HTTPS for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Elise configures itself as a service.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Elise exfiltrates data using cookie values that are Base64-encoded.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Elise encrypts exfiltrated data with RC4.1
enterprise T1083 File and Directory Discovery A variant of Elise executes dir C:\progra~1 when initially run.12
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Elise is capable of launching a remote shell on the host to delete itself.2
enterprise T1070.006 Timestomp Elise performs timestomping of a CAB file it creates.1
enterprise T1105 Ingress Tool Transfer Elise can download additional files from the C2 server for execution.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.1
enterprise T1027 Obfuscated Files or Information Elise encrypts several of its files, including configuration files.1
enterprise T1057 Process Discovery Elise enumerates processes via the tasklist command.2
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Elise injects DLL files into iexplore.exe.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.1
enterprise T1082 System Information Discovery Elise executes systeminfo after initial communication is made to the remote server.1
enterprise T1016 System Network Configuration Discovery Elise executes ipconfig /all after initial communication is made to the remote server.12
enterprise T1007 System Service Discovery Elise executes net start after initial communication is made to the remote server.1

Groups That Use This Software

ID Name References
G0030 Lotus Blossom 32

References

  1. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. 

  2. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. 

  3. Baumgartner, K.. (2015, June 17). The Spring Dragon APT. Retrieved February 15, 2016.