Detecting Elise variants using Security Analytics

Blog Post created by ahsonbol on Jul 8, 2015

Elise is a backdoor malware family used in operation Lotus Blossom, the cyber espionage campaign identified by Palo Alto unit 42 last month. Elise variants communicate with their C2 servers using HTTP or HTTPS. In this blog post, we will discuss how to detect Elise network activity using RSA Security Analytics.

In case of communication over HTTP, a variant sends the following GET request:


Directory names differ from one variant to another as Elise uses the last four octets of the infected machine MAC address to derive its value. That means the length of the directory field is fixed. In addition, Elise uses the current time of the system as a seed to generate a random value for the second part of the filename. However, the first part of the filename value is the same for all variants as seen in the screenshot below:


Assuming the appropriate meta keys are enabled, the following query can be used to detect Elise HTTP behavior:

          directory length 10 && filename begins 'page_' && extension = 'html'

As for HTTPS communication, the subjects and CAs of the self-signed certificates used in those sessions simply stand out:



Scan results for an Elise variant can be viewed here.

Finally, all of the IOCs from those sessions were added to RSA FirstWatch Live feeds.