Threat Report: What is the Emissary Malware and How Does it Work?

Emissary is a Trojan that is used by Lotus Blossom. It shares code with Elise, with both Trojans being part of a malware group referred to as LStudio. Emissary affects the Windows operating system, and has the capability to execute various commands and injects its own DLL file into a newly spawned Internet Explorer process. Variants of Emissary have used various XOR operations to encrypt C2 data, as well as a custom algorithm that uses the "srand" and "rand" functions.

Emissary Malware Capabilities

• Emissary is a malware that uses symmetric encryption to conceal command and control traffic and may also abuse rundll32.exe to proxy execution of malicious code.
• The Emissary malware may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. This will cause the program to be executed when a user logs in. The malware may also transfer tools or other files from an external system into a compromised environment. Once present, the malware may also transfer/spread tools between victim devices within a compromised environment.
• The Emissary malware may attempt to gather information about the operating system and hardware, as well as registered local system services. This information may be used to determine which users have elevated permissions.
• Emissary is a remote access tool that uses application layer protocols to communicate with a remote system in order to control it. It may also abuse the Windows command shell for execution. Additionally, it may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
• Emissary is malware that may use binary padding to add junk data and change the on-disk representation of a binary, making it difficult to discover or analyze. The malware may also gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and patterns in domain objects that can be manipulated.

Ways to Mitigate Emissary Malware Attacks 

• Emissary attacks can be mitigated by using symmetric encryption to decode network traffic to detect malware communications signatures. Additionally, system and network discovery techniques can be used to identify potential malware activity, and process monitoring can be used to monitor the execution of rundll32.exe and compare it with known good arguments and loaded DLLs.
• Emissary attacks can be mitigated by viewing data and events as part of a chain of behavior, rather than in isolation. This will help to identify other activities that the adversary may be carrying out, such as Lateral Movement.
• Emissary attacks can be mitigated by analyzing network data for unusual data flows, monitoring processes and command-line arguments for actions that could create or modify services, and collecting service utility execution and service binary path arguments for analysis.
• System and network discovery techniques can be used to detect malicious activity. If detection of the obfuscation process is not possible, it may be possible to detect the activity that caused the obfuscated file.