Elise Malware

The Elise Malware is a backdoor Trojan that lets attackers administrate your system remotely, including controls for activities such as downloading other threats or collecting information. It also is noteworthy for the extent of obfuscation it uses for preventing installations in protected or analysis-based environments. Users can defend themselves with sandboxes and virtual machine software, as well as anti-malware tools for removing the Elise Malware in the event of infection.

Flowers Blooming into Not-So-Beautiful Security Problems

Between the purely-profit-based campaigns of the STOP Ransomware's children and the more non-commercial attacks of threats like Aria-body, Hannotog, and the Elise Malware, Asia is a long-term bed of activity for threat actors with many motives. The Elise Malware, which is another personalized backdoor Trojan found only in the hands of a select set of hacker organizations, also is an excellent window into the operational values of these threat actors. The Lotus Blossom APT and 'Dragon Fish' are two well-known wielders of the Trojan, which highly emphasize ducking under the cyber-security industry's analysis nets.

Reports of the Elise Malware samples from 2018 offer a reasonably comprehensive examination of all of its capabilities, which aren't very different from those of other, monitoring-oriented, backdoor Trojans. It connects to a C&C server for receiving instructions on its attack behavior, harvests system environmental information like the Windows OS version and timezone, can execute commands and may download or upload files at will. Structurally, the use of browser proxies (for both Internet Explorer and Firefox) and process injection are possibly-powerful obfuscating elements that help the Elise Malware with hiding itself.

Malware researchers also can point to the inclusion of many environmental checks during the Elise Malware's setup that suggests that the threat actors are keeping the Trojan out of analytical hands, insofar as such is possible. The Elise Malware looks for VMware, unusual disk or process names, examines the device's address, and searches for a range of analysis tools like Sandboxie and Win Sniffer. In these scenarios, the installation routine aborts, for keeping the Elise Malware out of the collection nets of researchers.

Documenting the Documents that Drop Dangers

Most of the espionage campaigns that malware researchers track to their original infection vectors resort to various means of linking to harmful documents. The Elise Malware clings to tradition, in this respect, with attacks requiring that the victims open weaponized text files (RTFs listing government defense officials, for example). The embedded exploits, usually, are kept current to the date of the attack, such as a 2018 infection scenario using CVE-2018-0802 instead of an older equivalent. The Elise Malware's loader runs off of an injection into a default Windows process, which prevents users from catching any signs of the breach.

Like the Russian Kazuar or China's ANEL, the Elise Malware has regional ties to particular geographic areas. In the hands of hackers like the Lotus Blossom APT, its campaigns are targeting Asian governments, including military entities, with the backdoor Trojan providing a solid foothold into a network. Although software updates always help lower the vulnerabilities in documents and spreadsheets, malware analysts strongly recommend additional precautions, such as disabling macros and scanning downloads with appropriate security solutions.

Anti-malware applications with up-to-date databases should delete the Elise Malware properly or identify documents that include content that's capable of installing it.

Once it has its hooks sunk into a Windows PC, defending against the numerous features that the Elise Malware has available isn't an easy feat. While any victim could unplug their network connection, doing so requires knowing that the Trojan is there, in the first place – and a paranoid monitor isn't the easiest for anyone to catch.