Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part of a larger group oftools referred to as LStudio, ST Group, and APT0LSTU. [1][2]
Name | Description |
---|---|
BKDR_ESILE | |
Page |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Elise executes |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service | |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Elise exfiltrates data using cookie values that are Base64-encoded.[1] |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Elise creates a file in |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
Enterprise | T1083 | File and Directory Discovery |
A variant of Elise executes |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Elise is capable of launching a remote shell on the host to delete itself.[2] |
.006 | Indicator Removal on Host: Timestomp | |||
Enterprise | T1105 | Ingress Tool Transfer |
Elise can download additional files from the C2 server for execution.[2] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.[1] |
Enterprise | T1027 | Obfuscated Files or Information |
Elise encrypts several of its files, including configuration files.[1] |
|
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection | |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[1] |
Enterprise | T1082 | System Information Discovery |
Elise executes |
|
Enterprise | T1016 | System Network Configuration Discovery |
Elise executes |
|
Enterprise | T1007 | System Service Discovery |
Elise executes |
ID | Name | References |
---|---|---|
G0030 | Lotus Blossom |