Lotus Blossom
Type: Nation-State-SponsoredLotus Blossom APT Status: Believed InactiveLotus Blossom APT Other Names: Operation Lotus Blossom/ Spring Dragon/ ST Group/ LStudio/ APTOLSTU Malware: custom Trojan backdoor called “Elise” or “Page” malware (BKDR_ESILE) -At least three variants; all use separate, but connected, C2 infrastrucuture Evades detection, detects virtual environments, connects to C2 for additional instruction, exfiltrates data -Encrypted binary configuration data structure containing a list of C2 servers to contact -A campaign identifier that identifies the specific malware reporting to the C2 server -C2 communications using a custom format delivered over HTTP or HTTPS -Upon installation, performs basic network reconnaissance, and sends data to C2 -Ability to execute commands, DLLs, and executables Read and write files -Update configuration and upload configuration data -The malware -The malware injects itself into iexplore.exe, decrypts an embedded DLL located in its resource section (‘XDATA’) and writes this DLL to a new section of memory in iexplore.exe Elise delivered as malicious payload to decoy attachment -The document is usually a personnel roster for a specific military or government office -May also use the LStudio or Evora tools Preferred Attack Vector: Spear-phishing and watering-hole attacks
