Ahmed Sonbol

Detecting Emissary variants using RSA NetWitness

Blog Post created by Ahmed Sonbol Employee on Apr 12, 2017

Lotus Blossom is an adversary group that targets military and government organizations in Southeast Asia [1]. Emissary is one of the malware tools used by the group. The oldest Emissary sample was found in 2009 and the malware family has evolved over time [2]. It is usually delivered through well-crafted documents that exploit unpatched vulnerabilities in Microsoft Office.

 

This threat advisory discusses the host behavior of one of Emissary variants and how to detect its beaconing activity using RSA NetWitness Logs and Packets.

 

A dropper loads this Emissary variant from its resources section and writes it to the disk but it doesn’t stop there. It keeps inflating the newly created file by adding junk data to it. The size of the newly created file exceeds 500 MB. In the same directory, it drops a copy of itself and an obfuscated configuration file. Analysis indicates that the configuration file has a unique victim ID and a list of C2 servers.

 

 

The dropper proceeds to inject Emissary into the address space of a new Internet Explorer process:

 

 

Emissary keeps a log of its activity in clear text:

 

 

Emissary collects system information and starts communicating with its primary C2 server as follows:

 

 

In the screenshot above, the Cookie field has both the victim machine unique ID as well as its IP address.

 

An update to the HTTP Lua parser is now available on Live to detect Emissary network activity:

 

 

When it detects Emissary traffic, it registers meta to the “Indicators of Compromise” key:

 

 

Emissary sample can be found on VirusTotal here, and a delivery document can be found here.

 

All the IOC from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following query:

            threat.desc = ‘apt-emissary-c2’

 

Thanks go to Bill Motley for contributing to this threat advisory.

 

References:

  1. http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/ 
  2. http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evo… 

Outcomes