S0082 Emissary
Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. 1
| Item | Value |
|---|---|
| ID | S0082 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 09 August 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Emissary uses HTTP or HTTPS for C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Variants of Emissary have added Run Registry keys to establish persistence.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Emissary has the capability to create a remote shell and execute specified commands.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Emissary is capable of configuring itself as a service.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.1 |
| enterprise | T1615 | Group Policy Discovery | Emissary has the capability to execute gpresult.2 |
| enterprise | T1105 | Ingress Tool Transfer | Emissary has the capability to download files from the C2 server.1 |
| enterprise | T1027 | Obfuscated Files or Information | Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the “srand” and “rand” functions.12 |
| enterprise | T1027.001 | Binary Padding | A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.001 | Local Groups | Emissary has the capability to execute the command net localgroup administrators.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Emissary injects its DLL file into a newly spawned Internet Explorer process.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.2 |
| enterprise | T1082 | System Information Discovery | Emissary has the capability to execute ver and systeminfo commands.2 |
| enterprise | T1016 | System Network Configuration Discovery | Emissary has the capability to execute the command ipconfig /all.2 |
| enterprise | T1007 | System Service Discovery | Emissary has the capability to execute the command net start to interact with services.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0030 | Lotus Blossom | 12 |
References
-
Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. ↩↩↩↩↩↩↩↩
-
Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. ↩↩↩↩↩↩↩↩↩↩↩