Elise Malware from Operation Lotus Blossom

June 29, 2015 | Garrett Gross
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Devotion to the mystic law of hack and defend...

We keep seeing these Advanced Persistent Threat (APT) type attacks crop up throughout the world. One of the main differentiating factors in these attacks vs ‘common’ ones are the resources at their disposal: time, money, and, most importantly, the expertise required to develop custom pieces of malware to carry out specific, targeted, attacks.

Operation Lotus Blossom is no exception and we have already seen over 50 attacks recently linked to this group. While mainly attacking government and military targets up to this point, its still to soon to tell if their reach might expand into the private sector (a la Duqu and Stuxnet). Initially, the victim is lured into opening an attachment via a targeted spearphishing email. Once they open the tainted attachment, the custom created ‘Elise’ malware is executed, opening a backdoor in the user’s system and establishing a connection to a command and control (C&C) server. At this point, the victim’s machine is under the attacker’s control. This allows them to conduct network scanning from the inside, exfiltrate data, or even deploy second-stage malware to carry out additional attacks or infect other machines on the network.

Impact on you

  • Having any type of malware on your network puts you at risk of compromise, especially one designed to steal data
  • Once Elise is installed, it has the ability to infect other machines and continue to deliver additional malware variants as needed
  • This malware is specifically designed to steal data from you, putting you and your clients’ sensitive information at risk

How AlienVault Helps

AlienVault Labs continues to perform cutting edge research on threats like these, collecting large amounts of data and then creating expert threat intelligence as a result.The Labs team has already released IDS signatures and a correlation rule to the AlienVault Unified Security Management (USM) platform so customers can detect activity from Elise. Learn more about this threat intelligence update and others in our forum.

  • System Compromise, Malware infection, Elise

Further Technical Information:

Code42 (Palo Alto) Lotus Blossom report

Garrett Gross

About the Author: Garrett Gross

Garrett Gross has always had an insatiable appetite for technology and information security, as well as an underlying curiosity about how it all works. Garrett has over 15 years of professional experience in information technology, filling several roles: systems administration, network engineering, product marketing, technical support, and helpdesk. In his current role in field enablement, he uses his experience to help managed security service providers be successful in evangelizing and operationalizing AlienVault USM.

Read more posts from Garrett Gross ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial