Skip to content

S0082 Emissary

Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. 1

Item Value
ID S0082
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 09 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Emissary uses HTTP or HTTPS for C2.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Variants of Emissary have added Run Registry keys to establish persistence.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Emissary has the capability to create a remote shell and execute specified commands.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Emissary is capable of configuring itself as a service.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.1
enterprise T1615 Group Policy Discovery Emissary has the capability to execute gpresult.2
enterprise T1105 Ingress Tool Transfer Emissary has the capability to download files from the C2 server.1
enterprise T1027 Obfuscated Files or Information Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the “srand” and “rand” functions.12
enterprise T1027.001 Binary Padding A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.2
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Emissary has the capability to execute the command net localgroup administrators.2
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Emissary injects its DLL file into a newly spawned Internet Explorer process.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.2
enterprise T1082 System Information Discovery Emissary has the capability to execute ver and systeminfo commands.2
enterprise T1016 System Network Configuration Discovery Emissary has the capability to execute the command ipconfig /all.2
enterprise T1007 System Service Discovery Emissary has the capability to execute the command net start to interact with services.2

Groups That Use This Software

ID Name References
G0030 Lotus Blossom 12


Back to top