PALO ALTO NETWORKS | 4401 Great America Parkway | Santa Clara, CA 95054 www.paloaltonetworks.com OPERATION LOTUSBLOSSOM R E P O R T B Y – ROBERT FALCONE, JOSH GRUNZWEIG, JEN MILLER-OSBORN, RYAN OLSON Introduction 3 Operation Details 3 Vietnam 4 Philippines 10 Taiwan and Hong Kong 11 Indonesia 12 Elise Backdoor Analysis 12 Variant A 13 Variant B 17 Variant C 20 Previous Research 23 Conclusion 24 Appendix 25 Elise Sample Details 25 Elise Executable SHA256 values 33 Elise Delivery Document SHA256 values 34 Elise Command and Control Servers 35 TABLE OF CONTENTS P A L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 3 Introduction Operation Lotus Blossom describes a persistent cyber espionage campaign against government and military organizations in Southeast Asia, stretching back over three years. Nations we have identified as targeted in this campaign include Hong Kong, Taiwan, Vietnam, the Philippines and Indonesia. The Lotus Blossom group deploys a backdoor Trojan, named Elise, after the sports car made by Group Lotus PLC of the United Kingdom. The group relies on spear phishing attacks to infect its users, often using a malicious office document and decoy file containing content relevant to the target’s occupation or interests.The spear phishing attachment typically includes exploit code for a well-known Microsoft® Office® vulnerability, CVE-2012-0158, which is used to install the Trojan on the system and then display the decoy file, tricking the user into thinking the file opened correctly. Example decoy files include: • A spreadsheet listing high-level officers in the Philippine Navy, along with their dates of birth and mobile phone numbers. • The operational humanitarian and disaster response (HADR) plan for the Armed Forces of the Philippines, stamped “Secret.” • An invitation to the screening of a film at the Norwegian embassy. While we have not identified specific individuals responsible for these attacks, the evidence suggests a nation state with a strong interest in Southeast Asia. Elise is a custom backdoor Trojan, not readily available online. The tool appears to be used exclusively by Lotus Blossom and was likely developed specifically for their operations. The targets attacked by this group are almost exclusively military and government organizations, whose data is most valuable to other nation states, rather than criminal actors. The fact that this campaign has been ongoing for over three years indicates the individuals behind the attack are well-resourced. Using the Palo Alto Networks® AutoFocus™ platform, which enables analysts to correlate the results of the hundreds of millions of reports generated by the WildFire™ service, Unit 42 has linked over 50 individual attacks to this campaign. The Operational Details section of this report provides details on specific attacks against the targeted governments. The Elise Backdoor Analysis section contains descriptions of how the three different variants of Elise operate and how they changed over time. Domain names and IP addresses used for command and control, as well as hashes of the files used in the attacks are included in the appendix. Operation Details Operation Lotus Blossom repeatedly targeted several Southeast Asian countries’ militaries and government agencies, beginning in 2012 and continuing through 2015.The bulk of the activity discussed in this paper involves heavy targeting against both Vietnam and the Philippines during 2013 and 2014. P A L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 4 All of the attacks use the custom backdoor Trojan named Elise, which gives the Lotus Blossom group their initial foothold in a network. From there, they can install additional tools, move laterally, and exfiltrate data from the network. Elise is described in more detail later in this report. The operation relies heavily on spear phishing as the initial attack vector, with enticing subject lines and legitimate-looking decoy documents meant to trick users into believing they are opening a legitimate file, as opposed to malware. A popular theme for the decoy documents was personnel rosters, largely claiming to be for specific military or government offices. Another theme was the use of attractive pictures of Asian women that were sourced from the Internet. Some of the information contained in the decoys could be found on the Internet; however, it is worth noting none of the military or government themed decoys could be found. In particular, the decoys used against the Philippines were exclusively military and government themed, with the bulk purporting to be related to the Navy. As we were unable to find any of the decoys online, and they purport to contain sensitive information, we have not included images of them, in case the information is legitimate. One document is even stamped “Secret.” While all of the Lotus Blossom attacks appear to be the work of a single group, the infrastructure used to target each nation is largely separate (Figure 1). EachTrojan binary in this diagram is connected to command and control (C2) IP addresses and domains that are defined in theTrojan’s configuration file. Additionally, the domains are connected to email addresses used to register them, as well as IP addresses they resolve to at the time of the attack.These links create a visual map of the attacks, which shows that, while the infrastructure is not identical in each attack, they are all connected. In the following sections, we will take a closer look at the attacks on each nation. Vietnam The Lotus Blossom campaign against the Vietnamese government was the most persistent and consisted of 11 waves of spear phishing, primarily during November 2014. There were a total of eight droppers — one Microsoft Excel® document and five Microsoft Word® documents. All included a decoy document intended to trick users into believing they had opened a legitimate file rather than malware, and the content of each was different. FIGURE 1 + Elise backdoor samples and C2 infrastructure in distinct but overlapping groups. Vietnam Indonesia Philippines Hong Kong &Taiwan P A L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 5 The attacks on Vietnam break into two distinct groups. All but three samples used overlapping C2 infrastructure (Figure 2), including two domains registered by “2759931587@qq.com,” which was also used registered C2 domains used in attacks against other Southeast Asian countries. This group of attacks used the following campaign codes to identify their infections, many of which include the string “Alice,” which may have a significance we have not yet identified. • Alice_erpas • Alice_rosey • Alice_15A • Alice_Spider • Alice_vishipel • jessica-cpt-app • oyf • ooo FIGURE 2 + Elise samples and infrastructure used to target the Vietnamese government. P A L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 6 The second group of attacks (Figure 3) used a different registrant not seen elsewhere in this activity, but overlap with targeting, campaign code structure, and one C2 IP address. While the other domains maintained the information they were originally registered with, one domain used here was registered by ‘paulzz@yeah.net’ and then updated to ‘studywindows123@outlook.com’. The initial registrant also registered other domains detailed in this paper, targeting other Southeast Asian countries prior to their updating, indicating this may be a reseller favored by particular APT group(s). It could also be a simple matter of actor preference, but we cannot say for sure one way or the other. The other domain used a registrar that does not show any registration information. The three campaign codes used with these samples are below. • QY030610 • KITY01232 • KITY090901 FIGURE 4 + Instructions on how to install and use LogFusion, a legitimate tool used to parse log files. FIGURE 3 + Diagram of second group of Vietnam attacks. Most of the attachments used in this campaign had a technical theme, shown in figures two through four. Additionally, all were written in Vietnamese. We are not including an image of one sample, as it claims to be a certification test for a particular type of VSAT terminals. It is unknown how the actors obtained a test for this course, assuming the questions are legitimate. P A L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 7 FIGURE 5 + The agenda for Vietnam’s Ministry of Information and Communication workshop with Vibrand, which was held on 4 December 2014. The purpose of the workshop was promoting the development of products and IT services in Vietnam. FIGURE 6 + Excel spreadsheet titled “VPTW Transfer Network Phase 2” and lists a number of provinces in Vietnam as well as Taiyuan in China. P A L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 8 The final four sample decoy documents had very different themes. One was an invitation to an event at the Norwegian Embassy in Vietnam commemorating the anniversary of the Kon-Tiki voyage (Figure 7). Of note, the date of the invitation is incorrect — the actual event took place 11 and 12 December 2014. The requested email address accepting RSVPs also seems just slightly suspicious, and they helpfully instructed the recipients to forward the invitation, if they were unable to attend. Two of the decoys contained one or more images of attractive Asian women taken from the Internet, one of which (shown in Figure 8) was used multiple times. The final decoy contained a Merry Christmas image with broken English text. FIGURE 7 + Fake invitation to an event commemorating the Kon-Tiki voyage. FIGURE 8 + Photo of Hoàng Thùy Linh, a Vietnamese actress and singer. FIGURE 9 + A Merry Christmas image with broken English text. P A L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 9 The second group of attacks also used decoy documents written in Vietnamese. One document purported to be a contact roster and contains the names and Vietnamese webmail email addresses for multiple high-level Vietnamese officials. The first page of the second decoy is shown below (Figure 10) and claims to be an IT upgrade plan for 2015 for the Vietnamese government. The final sample also appears to be related to an IT upgrade plan, with implementation dates and responsible individuals (Figure 11.) FIGURE 10 + Claims to be an IT upgrade plan for 2015 for the Vietnamese government. FIGURE 11 + Also appears to be related to an IT upgrade plan, with implementation dates and responsible individuals. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 0 Philippines The Lotus Blossom operation has targeted the Philippine government, with a particular focus on the military, since at least 2013. We identified six unique Elise droppers, each with its own decoy document and content. These samples all had overlapping command and control infrastructure (Figure 12). All six decoy documents were related to the Philippine military or government, primarily claiming to contain contact information for high-level officers and officials. We are not including images, as it is possible the information is legitimate, but the subject lines with brief descriptions are included in Table 1 below. FIGURE 12 + Connections between Elise samples and C2 servers used in attacks on the Philippines. Decoy Name Decoy Description DFA GAD Directory Claims to be a directory of personnel in the Philippine Department of Foreign Affairs Gender and Development, including private emails and cellphones. HADR PLAN 29 May 14 Claims to be the operational humanitarian and disaster response (HADR) plan for the Armed Forces of the Philippines and is stamped “Secret.” C,1AD NR 03-0226-313-14 Claims to document a problem logging into an account for a specific real-time aircraft tracking system and appears to be a Philippine Air Force document. RQST MOUTPIECE LOUD HAILER Claims to be a requisition form for a mouthpiece for a specific hailer for a specific unit. PN KEYPOSITION with CELL Nrs Claims to be a roster of high-level officers at the Philippine Naval Headquarters and is dated 23 June 2014. It has birth dates and cellphone number as well as current job roles. Cellphone Number Claims to be a roster of high-level officers at the Philippine Naval Headquarters and is dated February 2015. It contains job roles as well as cellphone numbers. Table 1 + Names and descriptions of decoy documents included in attacks on the Philippine government and military. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 1 In contrast to the Vietnamese targeting, this activity involves a mix of actor-registered and dynamic DNS (DDNS) domains use for C2. However, the actor-registered domain also used the same initial registrant, ‘paulzz@yeah.net,’ as the final two Vietnamese samples discussed above, and most campaign codes also appear to end with a date. Also of note, all but two of these samples used campaign codes that started with ‘340‘. The text within three of the campaign codes refers to the decoy contents. The campaign codes we saw with the Philippines’ activity are below. • 340_typhoon • 340-0226 • 340-dfa-520 • 340-0528 • phone • key0730 Taiwan and Hong Kong We uncovered three droppers that targetedTaiwan and one that targeted Hong Kong. One of these claimed to be a current staff contact list, but when opened, did not contain any information. As this is the only roster-themed decoy that did not contain any information, it may indicate this was a mistake on the threat actor’s part. We were unable to recover decoy documents for the other two. The sample targeting Hong Kong contains earthquake safety information in long form Chinese, copied from the Internet and widely circulated in multiple languages, since at least 2009. It has its own entry on Snopes.com evaluating the accuracy of the informationi .This sample is also an outlier, in that it targeted a science and technology university, in contrast to most of the other targeting that had a government or military focus. This activity shows the clearest striation (Figure 13), with the cluster on the left using the first two campaign codes below. • 310-pyq • mm-0807 • cyd-zc It is possible this represents two sub-groups targeting Taiwan and Hong Kong with the same malware over the same period of time. Interestingly, the cluster in the upper left uses some infrastructure used in the Vietnamese activity, as well as a registrant seen in the Philippines’ activity. FIGURE 13 + Connections between Elise samples and C2 servers used in attacks on Taiwan and Hong Kong. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 2 Indonesia We identified one Elise dropper carrying a decoy document written in Indonesian that contains information about health foods to avoid the flu, including a picture of a sweet potato. It appears to have been copied directly from the Internet. The campaign code used in this attack was “36-SC-0115,” as well as the following C2 servers. • 122.10.89.84 • beckhammer.xicp.net The campaign code and C2s are shown below, and the C2 matches up with one of the Philippine-targeted samples in the previously discussed activity. In addition, the campaign code format and numbers at the end of the campaign code appear to be a date, which is also similar to the Philippines’ activity. Elise Backdoor Analysis Over the course of our research, Unit 42 has identified over 50 samples belonging to the Elise malware family.Through analysis of these files, we have grouped them into three distinct variants. Compile timestamps for these samples ranged from June 2012 to March 2015.The naming of the three Elise malware variants coincides with their original compile timestamps, starting with the oldest. Please note that these variant labels may not coincide with naming conventions created by the antivirus industry. While each variant uses distinct mechanisms for infecting the system and remaining persistent between reboots, all three variants share the following common attributes: • An encrypted binary configuration data structure containing a list of C2 servers to contact. • A campaign identifier, such as ‘jessica-cpt-app’ or ‘370my0216’, which identifies the specific malware reporting to the C2 server. • C2 communications using a custom format delivered over HTTP or HTTPS. • Performs basic network reconnaissance upon installation and reports findings to C2 server. Each variant of Elise contains the functionality to perform the following tasks: • Execute commands, DLLs, or executables • Write Files • Read Files • Update Configuration • Upload Configuration Data FIGURE 14 + Decoy document written in Indonesian, which describes foods that help fend off the flu. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 3 Variant A The first variant of Elise identified by Unit 42 has a compile date set in mid-2012. This particular variant has a configuration size of 1480 and the ability to install itself as either a service or executable. Variant ‘A’ is delivered via a dropper executable file, which differs from later variants that are typically deployed with a malicious Microsoft Office document. When executed, the malware will configure itself for deletion upon reboot, using the MoveFileExA function, as seen below. MoveFileExA(self, 0, MOVEFILE_DELAY_UNTIL_REBOOT); Readers may recall seeing this technique used by the Microsoft Excel shellcode identified in the Vietnam campaign. The malware proceeds to extract and decrypt an embedded DLL to the following location. • %APPDATA%\Microsoft\Network\mssrt32.dll The following algorithm is used to encrypt/decrypt the embedded DLL: void decrypt_string(char *encrypted, int size) { int i; if ( encrypted ) { for ( i = size - 1; i > 0; --i ) encrypted[i] ^= encrypted[i - 1]; *encrypted ^= 0x15; } } Prior to writing this DLL to disk, the malware will write the encrypted configuration to this DLL. The following Python code may be used to decrypt this configuration: from ctypes import * from struct import * import sys fh = open(sys.argv[1], ‘rb’) fd = fh.read() fh.close() cdll.msvcrt.srand(2014) out = “” for x in fd: out += chr(ord(x) ^ (cdll.msvcrt.rand() % 128)) print repr(out) PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 4 The malware proceeds to configure the mssrt32.dll DLL as a service. This service is configured with properties specified in the malware’s configuration. The following example was identified in one of the samples analyzed. This service is then manually started using a call to the StartServiceA function. Should the installation of this newly created service fail, the malware will instead write an executable to the following location: • %APPDATA%\Microsoft\Network\svchost.exe The name of this executable is specified within the malware’s configuration data. This file is embedded and dropped in the same manner the mssrt32.dll file was previously. Persistence for this executable is set via the following registry key: • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe Finally, this executable is run via a call to the ShellExecuteW function. This dropped DLL or executable contains the actual Elise malware. When run, it will begin by deleting the following file should it exist: • %TEMP%\000ELISEA350.TMP This file will be used going forward to store any log data generated by Elise. The malware writes its encrypted configuration to one of the following locations: • %APPDATA%\Microsoft\Network\6B5A4606.CAB • %APPDATA%\Microsoft\Network\6B5A4607.CAB Service Name MSCM Display Name Microsoft Security Compliance Manager Description The service provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization¡¯s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies. Image Path %SystemRoot%\System32\svchost.exe -k MSCM Service DLL %APPDATA%\Microsoft\Network\mssrt32.dll Service Main ESEntry PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 5 The following script can decrypt and parse the CAB file: import sys from struct import * from ctypes import * def decrypt(data): cdll.msvcrt.srand(2014) out = “” for x in data: out += chr(ord(x) ^ (cdll.msvcrt.rand() % 128)) return out def parse_config(out): identifier, \ compile_time, \ unknown1, \ sleep_timer, \ unknown_bool, \ campaign, \ c1, c2, c3, c4, c5, \ unknown_bool2, \ unicode_exe_name, \ service_name, \ registry_service_name, \ display_name, \ service_description = unpack(“40siiib20s50s50s50s50s50sb40s20s20s50 s700s”, out[0:1154]) print “Config Identifier : %s” % identifier print “CompileTime : %s” % compile_time print “Unknown DWORD : %s” % unknown1 print “SleepTimer : %s” % sleep_timer print “Unknown Bool Value : %s” % unknown_bool print “Campaign : %s” % campaign print “Command and Control : %s” % c1 print “Command and Control : %s” % c2 print “Command and Control : %s” % c3 print “Command and Control : %s” % c4 print “Command and Control : %s” % c5 print “Unknown Bool Value 2 : %s” % unknown_bool2 print “Service Executable : %s” % unicode_exe_name.replace(“\x00”,’’) print “Service Name : %s” % service_name print “Registry Service Name : %s” % registry_service_name print “Service Display Name : %s” % display_name print “Service Description : %s” % service_description fh = open(sys.argv[1], ‘rb’) data = fh.read() fh.close() parse_config(decrypt(data)) PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 6 The malware proceeds to enter in a loop, where it will attempt to communicate with the specified URLs via HTTP or HTTPS. It initially sends the following GET request to the C2 servers specified in its configuration: GET //page_.html HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32) Host: Connection: Keep-Alive Cache-Control: no-cache Pragma: no-cache In the request above, the parameter is determined using the last four octets of the victim’s MAC address. For example, if the victim’s MAC address was 00-11-22-33-44-55-66, this parameter would become ‘2233445566’. The parameter is randomly generated using the current time as a seed. This results in a unique request being made every time. When an initial communication is made to the remote server, the malware will execute the following commands to conduct basic network reconnaissance: • net user • ipconfig /all • net start • systeminfo Elise uses a series of cookie values in order to exfiltrate data, as seen below. FIGURE 15 + Elise Variant A POST Request. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 7 Data contained within these cookies is Base64-encoded. Once decoded and joined, the data has the following structure. Variant B The second variant (B) of Elise has compile timestamps dating back to July 2012. Variant B has a configuration data structure size of 324 bytes. It is often delivered via a file exploiting a client-side vulnerability, such as CVE-2012-0158. When originally installed on a victim machine, the client-side exploit shellcode will drop two files — an executable file and a DLL. The executable is then run in a newly spawned process. This executable file loads the second exported function of the DLL via the function’s ordinal value. This exported function is commonly called either ‘CsOptionsHandle’ or ‘ESHandle’. When this function is called, this Elise variant will begin by decrypting its 324-byte configuration structure. The following Python code may be used to decrypt and parse this configuration: import sys from struct import * from ctypes import * def decrypt(data): cdll.msvcrt.srand(2014) out = “” for x in data: out += chr(ord(x) ^ (cdll.msvcrt.rand() % 128)) return out def parse_config(out): compile_time, \ unknown1, \ sleep_timer, \ unknown_bool, \ campaign, \ c1, c2, c3, c4, c5, \ unknown_bool2, \ unknown_string = unpack(“iiib20s50s50s50s50s50sb40s”, out) print “CompileTime : %s” % compile_time print “Unknown DWORD : %s” % unknown1 print “SleepTimer : %s” % sleep_timer print “Unknown Bool Value : %s” % unknown_bool print “Campaign : %s” % campaign FIGURE 16 + Elise Variant A Data Encoding. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 8 print “Command and Control : %s” % c1 print “Command and Control : %s” % c2 print “Command and Control : %s” % c3 print “Command and Control : %s” % c4 print “Command and Control : %s” % c5 print “Unknown Bool Value 2 : %s” % unknown_bool2 print “Unknown Unidoce String : %s” % unknown _string.replace(“\ x00”,’’) fh = open(sys.argv[1], ‘rb’) data = fh.read() fh.close() parse_config(decrypt(data)) As we can see, this variant of Elise uses the same encryption/decryption routine for its configuration data as variant A. The malware proceeds to create one of the following files that will be used to store this configuration data: • %APPDATA%\Microsoft\IMJP8_1\8S3N0PW7.dat • %APPDATA%\\Microsoft\IMJP8_1\26TXNK4F.dat One of the more interesting features of this variant is its ability to detect either a VMware® or VirtualPC virtual environment, as we see below. Should the malware detect it is running within either of these environments, it will not perform any malicious activity going forward. Otherwise, it proceeds to configure persistence across reboots by setting the following registry key: • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self] FIGURE 17 + Elise Variant B virtual environment check. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 1 9 When initially run, Elise variant B will also execute the following commands on the victim machine: • ipconfig /all • net start • dir C:\progra~1 • systeminfo These command strings are obfuscated within the malware, using the following algorithm: char* decrypt_string(char *encrypted, int size) { int i; char *result; for ( i = 0; i < size; ++i ) { result = &encrypted[i]; *result ^= 0x1Bu; } return result; } Exfiltration for variant B uses the same technique used in variant ‘A’. Base64-encoded cookie values are used to exfiltrate data, as seen below. The structure of this base64-decoded data remains the same as well. The following structure is used in variant ‘B’. FIGURE 18 + Elise Variant B POST Request PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 0 Variant C The third variant of Elise has its earliest compile timestamp in mid-2013 and has been used in attacks periodically since that time. This variant has been the most prevalent overall, accounting for roughly 75 percent of all samples identified by Unit 42. The most recent sample of variant C was compiled in late March of 2015. Additionally, variant C uses a 336-byte configuration structure. Similar to variant B, variant C is often delivered via a file exploiting a client-side vulnerability, such as CVE-2012-0158. This particular variant is delivered as a single DLL with two exported functions — ‘Setting’ and ‘Update’ When the ‘Setting’ export is called, the malware will copy itself to the following location: • %APPDATA%\Microsoft\Network\rasphone.dll This new file is then called via the following command: • Rundll32.exe %APPDATA%\Microsoft\Network\rasphone.dll,Update When the ‘Update’ export is called on rasphone.dll, the malware will begin by checking if a debugger is attached via a call to IsDebuggerPresent(). In the event it is not detected, the malware will then check to ensure the DLL has been loaded by Rundll32. exe by comparing the current filename against ‘dll32’. rasphone.dll uses a simple string encryption routing.The following code can decrypt encountered strings: void decrypt_string(char *encrypted, int size) { int i; if ( encrypted ) { for ( i = size - 1; i > 0; --i ) encrypted[i] ^= encrypted[i - 1]; *encrypted ^= 0xA0; } } FIGURE 19 + Elise Variant B Data Encoding PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 1 The malware continues to identify the location of iexplore.exe (%PROGRAM FILES%\ Internet Explorer\iexplore.exe) and spawn a new instance of this process.The malware will proceed to inject itself into iexplore.exe. Finally, the malware will decrypt an embedded DLL located in its resource section (‘XDATA’) and write this DLL to a new section of memory in iexplore.exe. A configuration blob of 336 bytes is subsequently written to this DLL, and the DLL is loaded into iexplore.exe via a call to LoadLibraryA. The injected DLL (hereafter referred to as xdata) begins by spawning a new thread where all further actions will be taken. The malware writes its encrypted configuration to the following location: • %APPDATA%\Microsoft\Network\6B5A4606.CAB The following script can be used to decrypt this CAB file. import sys from struct import * def decrypt(data): str_len = len(data) - 1 out = “” while(str_len > 0): str_len -= 1 if str_len == 0: break out = chr(ord(data[str_len]) ^ ord(data[str_len-1])) + out out = chr(ord(data[0]) ^ 0xA0) + out return out def parse_config(out): compile_time, \ unknown1, \ sleep_timer, \ unknown_bool, \ campaign, \ c1, c2, c3, c4, c5, c6 = unpack(“iiib20s50s50s50s50s50s50s”, out[0:333]) print “CompileTime : %s” % compile_time print “Unknown DWORD : %s” % unknown1 print “SleepTimer : %s” % sleep_timer print “Unknown Bool Value : %s” % unknown_bool print “Campaign : %s” % campaign print “Command and Control : %s” % c1 print “Command and Control : %s” % c2 print “Command and Control : %s” % c3 print “Command and Control : %s” % c4 print “Command and Control : %s” % c5 print “Command and Control : %s” % c6 fh = open(sys.argv[1], ‘rb’) data = fh.read() fh.close() parse_config(decrypt(data)) PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 2 Additionally, this CAB file is “time stomped” to a Create/Modify time of Sunday, November 21, 2010, 10:29:33 UTC. This malware also writes to a log file located at the following path. • %TEMP%\00EL225AF.TMP Data in this file is not obfuscated or encrypted in any way. The malware proceeds to enter in a loop, where it will attempt to communicate with the specified URLs via either HTTP or HTTPS. The following has been identified about the structure of the binary data submitted via POST requests. This structure is consistent with all previous Elise variants discussed. When an initial communication is made to the remote server, the malware will execute the following commands to conduct basic network reconnaissance: • net user • ipconfig /all • net start • systeminfo This data is exfiltrated using a POST request, as seen below. In the above example, the ‘2320’ value in the URI is generated using the victim’s MAC address. The ‘00320511’ value in the URI is generated using the current time. This allows each request to be unique and also identify the victim machine. FIGURE 20 + Elise Variant C Data Encoding. FIGURE 21 + Elise Variant C POST Request. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 3 Previous Research Multiple research groups have mentioned the Elise backdoor in publicly available reports. This section highlights some of those to help readers connect this campaign to previously known attacks. In 2013, Xecure Labs and Academia Sinica published a joint paper, and they delivered a presentation at BlackHat in which they identified Elise as part of a larger group of tools they referred to as the “LStudio,” “ST Group” and “APT0LSTU.” The research team noted that Elise and other related tools had been used primarily in attacks on Taiwan (Figure 22), but also against the United States, Canada and other nations. Trend Micro refers to Elise as BKDR_ESILE, making a slight modification to the author’s chosen name. Trend Micro first reported on Elise in their 2013 2H targeted Attack Trends report ii . Since then, they have referenced that paper in multiple blogs and reports iii iv v . This research indicates that the majority of attacks using Elise also targeted government organizations in the Asia Pacific region. FireEye refers to Elise as the “Page” malware, because early versions of the Trojan use the word “page” in their Command and Control URLs. FireEye first noted an Elise attack in September 2012, which involved a targeted spear phishing attack against the aviation defense industryvi . FireEye later noted Elise was delivered in an attack using a lure related to the crash of Malaysian Airlines flight 370 vii . FIGURE 22 + Slide 30 from BlackHat presentation showing Elise target. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 4 Conclusion Operation Lotus Blossom represents a long-term campaign targeting government and military organizations in several nations of Southeast Asia conducted by a persistent attack group. We traced the earliest of these attacks to 2012, and the most recent occurred during the course of writing this paper. In one case, the targeted organization received 20 separate email attacks carrying Elise exploit files over the course of eight weeks. While we cannot attribute these attacks to those of a specific nation state, the pattern indicates a highly persistent adversary with the ability to develop custom tools, and maintain command and control infrastructure, over a long period of time. This evidence is consistent with a nation state adversary with a strong interest in the militaries of Southeast Asian nations. Lotus Blossom may deploy additional tools beyond the Elise backdoor detailed in this report, after the group has achieved a foothold in the network. Related tools used by the group include those known as “LStudio,” and Evora. Unit 42 initially identified the attacks described in this report using Palo Alto Networks AutoFocus platform, which quickly enables analysts to find connections between malware samples analyzed by our WildFire system. We combined this data with open source intelligence to gather additional samples, which broadened the scope of our analysis. We have tagged all of these samples, and the infrastructure used in this campaign, within AutoFocus, using the tags Elise and LotusBlossom respectively. WildFire correctly identifies Elise executables, as well as the exploit files used in Lotus Blossom attacks, as malicious. We have released IPS signature 14358 in response, which detects command and control traffic generated by Elise. PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 5 Appendix Elise Sample Details SHA256 a28d6d7ac530753bb2ebfe1a9e9bd60269e6d227dec555e538cc36a6decf29f Campaign Code PYQ Command and Control 59.6.2[.]16 cpcl2006.dyndns-free[.]com shotacon.dyndns[.]info petto.mooo[.]com kid.dyndns[.]org SHA256 949c9457a6c77e7e7f1519435149183c56eb53f7d74439fb848b5d6d91196a73 Campaign Code PYQ Command and Control 59.6.2[.]16 cpcl2006.dyndns-free[.]com shotacon.dyndns[.]info petto.mooo[.]com kid.dyndns[.]org SHA256 712c488950f27e98bc4ebe5b63e5775498236a179cb4576bf021f8e6e6de0df4 Campaign Code MYGHOST Command and Control 50.7.11[.]10 www3.bkav2010[.]net SHA256 b9681c178e087140344e6aec2630c61f6a7be92e97ebbe7ce10528f6f0e6028f Campaign Code yxz-tw Command and Control 184.22.44[.]209 kjd.dyndns[.]org 202.82.202[.]228 wsi.dyndns[.]org cpcl2006.dyndns-free[.]com SHA256 dc61e089eebf6fa1b3abf637ce105e0d20666aa52d9001f5fd5034815331cd61 Campaign Code 340_typhoon Command and Control beckhammer.xicp[.]net 122.10.89[.]84 SHA256 6eae10f0b9a62a26b19897f7ba627f92e93e458034939f55f2001835c0e1f1be Campaign Code llmacau Command and Control 202.82.91[.]139 218.103.16[.]153 203.218.138[.]30 103.246.245[.]146 PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 6 SHA256 8c2cd914de7c125e49019f3826918511150ee4fff8a923da350a99c102b36455 Campaign Code yxz-kjhkjsxy Command and Control 184.22.44[.]209 kjd.dyndns[.]org 202.82.202[.]228 wsi.dyndns[.]org cpcl2006.dyndns-free[.]com SHA256 a8e0ab6b19400eccd3c9aceb183fe7626d5bde7bdf9b8ec8825aa17cc3a213a3 Campaign Code 340_typhoon Command and Control beckhammer.xicp[.]net 122.10.89[.]84 SHA256 e9971de22a922678fc216e9e3923c7e6b21455ddfbb24eb46e50e1cc7ceacc31 Campaign Code demo Command and Control 122.10.89[.]84 beckhammer.xicp[.]net 122.10.89[.]85 SHA256 0752bbdb0c51a519f17a62dd30a033c224c82168522f2c88949b1a0afc8f9037 Campaign Code 340-0226 Command and Control harryleed.dyndns[.]org verolalia.dyndns[.]org jackyson.dyndns[.]info scristioned.dyndns-web[.]com 173.231.49[.]98 SHA256 4780442f3cc8d3e1888aa6cecbb05d0c49a6755964eba7a8a6a36d6d2a0ef881 Campaign Code yxz-tw Command and Control cpcl2006.dyndns-free[.]com wsi.dyndns[.]org 202.82.202[.]228 kjd.dyndns[.]org 184.22.44[.]209 SHA256 bae07b0c3e4e96731360dc4faa49c0d4abe4d3705e768393f21661c82dea13f3 Campaign Code Alice_vishipel Command and Control www.serchers[.]net 142.91.252[.]130 www.aliancesky[.]com 58.64.183[.]92 SHA256 7e386ff64be78af18f8a79d01cb75b0438cbcee4647e0a928100bd52ee56db76 Campaign Code G140509ZA01 Command and Control 46.251.237[.]59 www.tintuchoahau[.]com PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 7 SHA256 866c698073e4deb66dd83c1ec9567ec03eca9f03775deadb81cc59fdb6cfd446 Campaign Code 310-pyq Command and Control cybertunnel.dyndns[.]info newshappys.dyndns-blog[.]com www.imonju[.]com www.serchers[.]net 202.82.202[.]228 SHA256 edb45f03dfd52ab58f163ad2ca48f4bc9c4bcb72ea9181d0e0a1d87859f707a6 Campaign Code 370mymm Command and Control 122.10.89[.]84 122.10.89[.]85 SHA256 3d2c6d48425212eabb886c2e7e89249e4aa8cf4ad9ec3dd22cafb4f879683d8b Campaign Code 340-dfa-520 Command and Control phil-gov.gotdns[.]org scristioned.dyndns-web[.]com asean-star[.]com aseansec.dynalias[.]org 113.10.136[.]18 SHA256 d9174d6bbcb51d3df186794109cd6b2036f6231cf8733290eadd399bf8137055 Campaign Code 340-0528 Command and Control phil-army.gotdns[.]org scristioned.dyndns-web[.]com asean-star[.]com aseansec.dynalias[.]org 113.10.136[.]18 SHA256 30f1f7e848c79212f70794d718d0f3929c24e0f3d28695a7c85a85c77ab7aac9 Campaign Code 310-pyq Command and Control cybertunnel.dyndns[.]info newshappys.dyndns-blog[.]com www.imonju[.]com www.serchers[.]net 202.82.202[.]228 SHA256 39dd2381bcd0f47dadf23399254bf1b51a837179e5634328afafe07510f5888a Campaign Code 340-0528 Command and Control phil-army.gotdns[.]org scristioned.dyndns-web[.]com asean-star[.]com aseansec.dynalias[.]org 113.10.136[.]18 SHA256 e2181b3d47feb5a321fe3b85b08a0245a1e0824b213e568fa4736d529fd5f8c2 Campaign Code 731 Command and Control usa-moon[.]net 23.234.63[.]197 PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 8 SHA256 c19d3242d43c71f03f5873231444c12a6a11892dd7f0142ff10479f1f718382d Campaign Code key0730 Command and Control usa-moon[.]net 23.234.63[.]197 SHA256 24bb8e48f37cbd71b2195cff4f52ec304a2ed9d60c28d2afd785e6f32639325f Campaign Code bio Command and Control usa-moon[.]net 23.234.63[.]197 SHA256 65c901b19e2eec6b8392100c1073253641a95dd542f39c9ca95755e8a2afde14 Campaign Code Alice_Spider Command and Control www.aliancesky[.]com 58.64.183[.]92 www.serchers[.]net 162.211.181[.]107 SHA256 34943d8718d35a633bafefb6f113b3486945ec7dcd19bde11ca3c29feed44af3 Campaign Code HKDLS Command and Control 101.55.121[.]47 27.255.64[.]231 www.iascas[.]net 59.188.247[.]32 SHA256 400148084474b709a060b844966cf75301d5f2c2b8ae1048f37f634073ead630 Campaign Code FUCKU Command and Control 101.55.121[.]47 118.193.212[.]61 www.seachers[.]net SHA256 61a66afac2702276f6bba2cfcab58198fced893ad1da27aef228259869f5383f Campaign Code FUCKU Command and Control 101.55.121[.]47 118.193.212[.]61 www.seachers[.]net SHA256 6f039f217d8b3bf6686e298416f084884b9a7ec0ee51f334ecc3f5a2da9145a8 Campaign Code FUCKU Command and Control 101.55.121[.]47 118.193.212[.]61 www.seachers[.]net SHA256 eae4b429b0b732d49750400e70caef579450d0651373440f536de71d6134c173 Campaign Code FUCKU Command and Control 101.55.121[.]47 118.193.212[.]61 www.seachers[.]net PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 2 9 SHA256 8f7c74a9e1d04ff116e785f3234f80119d68ae0334fb6a5498f6d40eee189cf7 Campaign Code HKDLS Command and Control 101.55.121[.]47 27.255.64[.]231 www.iascas[.]net 59.188.247[.]32 SHA256 a462085549f9a1fdeff81ea8190a1f89351a83cf8f6d01ecb5f238541785d4b3 Campaign Code FUCKU Command and Control 101.55.121[.]47 118.193.212[.]61 www.seachers[.]net SHA256 a8e0ab6b19400eccd3c9aceb183fe7626d5bde7bdf9b8ec8825aa17cc3a213a3 Campaign Code mm-0807 Command and Control www.imonju[.]net 61.58.31[.]102 202.77.181[.]179 SHA256 96356db43d7e9a5c3c4e3f9f7ee9a3dba14ad1c7db7367b7f6d664db4f0ef5d7 Campaign Code jessica-cpt-app Command and Control www.serchers[.]net www.aliancesky[.]com 162.211.181[.]107 58.64.183[.]92 SHA256 bd78e106f208cbb8ea9e5902d778514f1fc2d15876fca292971c6695541889a3 Campaign Code jessica-cpt-app Command and Control www.serchers[.]net www.aliancesky[.]com 162.211.181[.]107 58.64.183[.]92 SHA256 96410865d46cda89c7c34c60d485c2378a98acbba7ead5ada90daa02a94ba299 Campaign Code Alice_erpas Command and Control www.boshman09[.]com www.chris201[.]net 58.64.183[.]92 SHA256 a98db2098fe9e3e203bed8318ae1d71e8a7b68f801613be10f3917baad7b49b2 Campaign Code jessica-cpt-app Command and Control www.serchers[.]net www.aliancesky[.]com 162.211.181[.]107 58.64.183[.]92 PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 3 0 SHA256 233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3 Campaign Code KITY090901 Command and Control 46.251.237[.]59 www.tintuchoahau[.]com SHA256 b1e30dd3ad2c3290adad848f7199e03f365ecf484c44c6c7eaf42f6b323cd30b Campaign Code KITY090901 Command and Control 46.251.237[.]59 www.tintuchoahau[.]com SHA256 9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae29c0cdaacb49ae9d997d04 Campaign Code QY030610 Command and Control 95.154.195[.]152 www.vienclp[.]com SHA256 463c6c6ffb8ecf2df44e294818dd500457807ff126dd658c5fe329c09f43a6e0 Campaign Code KITY01232 Command and Control 95.154.195[.]152 www.vienclp[.]com SHA256 3a806f8efa338c871b1338a5db8af4128012559d09b06ab997db50a0f90434b1 Campaign Code KITY01232 Command and Control 95.154.195[.]152 www.vienclp[.]com SHA256 8ce0b29202f3df23ce583040e2ffe79af78e0bb375ce65ec37a6ffe7d49b5bb5 Campaign Code QY030610 Command and Control 95.154.195[.]152 www.vienclp[.]com SHA256 2551f95845ad83ebc56853442bb75c11517e99fe0196ecb30f80e5b203c9a9ff Campaign Code QY030610 Command and Control 95.154.195[.]152 www.vienclp[.]com SHA256 e4a460db653c8df4223ec466a0237943be5de0da92b04a3bf76053fa1401b19e Campaign Code QQQQQ Command and Control boshman09[.]com chris201[.]net 58.64.183[.]92 PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 3 1 SHA256 49bf19bd2381f5c78eb2d00a62e1b377620705dba0fa843fb8c8d26d92ec52e4 Campaign Code 36-SC-0114 Command and Control 103.244.91[.]16 162.211.181[.]26 101.55.120[.]165 beckhammer.xicp[.]net newinfo32.eicp[.]net SHA256 9e5c286fcc47c8346267574ea805cde24b04915f5372f03923c0d6a13290e0ea Campaign Code 36-SC-0127 Command and Control www.interhero[.]net 101.55.120[.]165 101.55.120[.]153 www.babysoal[.]com beckhammer.xicp[.]net SHA256 0201aaa8eda6dedc6c90381e225620cd33fb7b244f76bf229c3dd43feb9bdeaf Campaign Code Alice_rosey Command and Control 210.209.127[.]8 www.boshman09[.]com www.chris201[.]net 45.64.113[.]130 SHA256 f0304a1f7d87ac413f43a815088895872be0045a33c5f830b4b392a7ce5b8c46 Campaign Code 340-dfa-1007 Command and Control usa-moon[.]net aseaneco[.]org 103.28.46[.]96 SHA256 fd6302a152b0a2eff84b6ef219db5d79b6039043dfd5799ac9a4a0cced58e8bd Campaign Code 370my0216 Command and Control 113.10.222[.]157 www.tgecc[.]org SHA256 00c0e0c14835c08d220ef27ef6324df86880167d416ff7183d7df241ffebc3f8 Campaign Code ooo Command and Control www.boshman09[.]com www.chris201[.]net 210.209.79[.]29 SHA256 0adbf0f6a5c21054e569b2ef68c8c6ae7834a0700672c1f3ec6e50daf49a3a94 Campaign Code oyf Command and Control www.boshman09[.]com www.chris201[.]net 210.209.79[.]29 PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 3 2 SHA256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a Campaign Code Alice_rosey Command and Control 210.209.127[.]8 www.boshman09[.]com www.chris201[.]net 45.64.113[.]130 SHA256 8e7c198e1eaa5be2d1415be3001c217634ae207b8f912e9a84af6c6016aa467e Campaign Code ooo Command and Control www.boshman09[.]com www.chris201[.]net 210.209.79[.]29 SHA256 97d6699e449ddad97cc33e380a4873a7ceb0e8f0f50b5c8f72e6a4ff3dd1009f Campaign Code phone Command and Control usa-moon[.]net aseaneco[.]org 103.252.19[.]13 SHA256 b53f98c113e7f72ff5170dcdb2ab2b1c15a02aadb72b2d2710d899aea9b875bd Campaign Code phone Command and Control usa-moon[.]net aseaneco[.]org 103.252.19[.]13 SHA256 b2232492776267599307309e9d8874aac25e7cb31b155b0ca05349312690372f Campaign Code cyd-zc Command and Control 101.55.121[.]47 118.193.212[.]61 SHA256 64ffe128c61289bec90057c7bf3ff869c329ffcb1afa4c4cd0daed1effabf105 Campaign Code cyd-zc Command and Control 101.55.121[.]47 118.193.212[.]61 SHA256 b0ffb80762f25935415a7ffd6b9402a23c2b6b4dc4921419ef291160cf7f023b Campaign Code Alice_15A Command and Control 210.209.127[.]8 www.boshman09[.]com www.chris201[.]net SHA256 8e180a9d7f233c189519bbfa2b649ca410c4869457e0cf8396beb82ffbffd05c Campaign Code ooo Command and Control www.boshman09[.]com www.chris201[.]net 210.209.79[.]29 PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 3 3 Elise Executable SHA256 values 0201aaa8eda6dedc6c90381e225620cd33fb7b244f76bf229c3dd43feb9bdeaf 1333a300b03fb2d7bf028f4dee3d9b1f9c97267266faec9e02064862fbb6acb4 135e37122c23f26fed98b3bc884171c91c370250a73c6660b20416497b66a750 24bb8e48f37cbd71b2195cff4f52ec304a2ed9d60c28d2afd785e6f32639325f 2c2eb2eaadf9253a78265ac4655a6ec5935aa2673ff5e4fe3bb6753803c7fe59 2c512b50f8aa0881120d844b0bbbf7baa33465083fdc85755d51d1b5721bc057 2d43632953b511e1f1c7698de3c21b2ba7c27b75bb6079f51dcf9376e05e42b7 376c3ea59411380ab5146b3bc39ee79cf7f78b08dd712ef1cc5327bda5a2e46b 39dd2381bcd0f47dadf23399254bf1b51a837179e5634328afafe07510f5888a 3eb115f4eb62c4404be1a318afa3837bdba8fd66938efe15664741d942a85add 49bf19bd2381f5c78eb2d00a62e1b377620705dba0fa843fb8c8d26d92ec52e4 4de470147d90efbb440aa4420a5832b4f22f9f6128183568fe604df6427cc06b 4ff70adad080095421f34873e491c9da2e798f8db96a984f87efb9889d246fcb 5960d8f8b26edb453926efbd424332eabc0e1a74e25dbc1e9a570cc5920c8830 64ffe128c61289bec90057c7bf3ff869c329ffcb1afa4c4cd0daed1effabf105 712c488950f27e98bc4ebe5b63e5775498236a179cb4576bf021f8e6e6de0df4 7b2d470b9c6159c97cef2634493be0e4f2994f43501605a14d4c5a7efdeac3ba 7e386ff64be78af18f8a79d01cb75b0438cbcee4647e0a928100bd52ee56db76 840d18698ff0b114ee587f57231001d046fbd1eb22603e0f951cbb8c290804ed 866c698073e4deb66dd83c1ec9567ec03eca9f03775deadb81cc59fdb6cfd446 899730962e10546c9d43a9ffa79d900fd37c0d17f95aa537b67d31aa737447b5 8b4446cfaee549072c5da2468af7b9fec711f2d28851a3e8076fcfb53393a415 8c2cd914de7c125e49019f3826918511150ee4fff8a923da350a99c102b36455 8ce0b29202f3df23ce583040e2ffe79af78e0bb375ce65ec37a6ffe7d49b5bb5 8f7c74a9e1d04ff116e785f3234f80119d68ae0334fb6a5498f6d40eee189cf7 90296f0ecacc017bcf289297f5743660dd18bbc2842e631e9be4b2dc51732412 96356db43d7e9a5c3c4e3f9f7ee9a3dba14ad1c7db7367b7f6d664db4f0ef5d7 97d6699e449ddad97cc33e380a4873a7ceb0e8f0f50b5c8f72e6a4ff3dd1009f 9e5c286fcc47c8346267574ea805cde24b04915f5372f03923c0d6a13290e0ea a462085549f9a1fdeff81ea8190a1f89351a83cf8f6d01ecb5f238541785d4b3 a8e0ab6b19400eccd3c9aceb183fe7626d5bde7bdf9b8ec8825aa17cc3a213a3 b5a1f7e9d0d6d3bec17674610a3b26991083e1e3cb81729714b69c18038a902f bd78e106f208cbb8ea9e5902d778514f1fc2d15876fca292971c6695541889a3 d68a90fbe579a8199d78ef9ca001301e2c55a3015d4e3df3c238c276ed7cc1ce dc06012b4aef457efb0ecb9cdca579bb573823a1a63bb7a2ba92c7ce0c2ddbfb e2181b3d47feb5a321fe3b85b08a0245a1e0824b213e568fa4736d529fd5f8c2 e4a460db653c8df4223ec466a0237943be5de0da92b04a3bf76053fa1401b19e edb45f03dfd52ab58f163ad2ca48f4bc9c4bcb72ea9181d0e0a1d87859f707a6 f0304a1f7d87ac413f43a815088895872be0045a33c5f830b4b392a7ce5b8c46 f307280077b2a60d991a68c5700cbc57fe0ab6ec005caba0b0bcca4dbc5a1e2f fb506b8dd4025e247ac2fa12ffd46fd1cb6a06a138995a5cbda49074d567f615 fd2d9011ec860ba211d169063248d13d17425f210ff87a6c5a610b4704866339 PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 3 4 Elise Delivery Document SHA256 values 9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae29c0cdaacb49ae9d997d04 7e917319e2af9457c35afbb539c09233da2e02d6a64f970706dae9f6c3c791eb c19d3242d43c71f03f5873231444c12a6a11892dd7f0142ff10479f1f718382d dc61e089eebf6fa1b3abf637ce105e0d20666aa52d9001f5fd5034815331cd61 fd6302a152b0a2eff84b6ef219db5d79b6039043dfd5799ac9a4a0cced58e8bd e9971de22a922678fc216e9e3923c7e6b21455ddfbb24eb46e50e1cc7ceacc31 d9174d6bbcb51d3df186794109cd6b2036f6231cf8733290eadd399bf8137055 b53f98c113e7f72ff5170dcdb2ab2b1c15a02aadb72b2d2710d899aea9b875bd b2232492776267599307309e9d8874aac25e7cb31b155b0ca05349312690372f 463c6c6ffb8ecf2df44e294818dd500457807ff126dd658c5fe329c09f43a6e0 3d2c6d48425212eabb886c2e7e89249e4aa8cf4ad9ec3dd22cafb4f879683d8b 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a b0ffb80762f25935415a7ffd6b9402a23c2b6b4dc4921419ef291160cf7f023b 8e180a9d7f233c189519bbfa2b649ca410c4869457e0cf8396beb82ffbffd05c 8e7c198e1eaa5be2d1415be3001c217634ae207b8f912e9a84af6c6016aa467e 00c0e0c14835c08d220ef27ef6324df86880167d416ff7183d7df241ffebc3f8 0adbf0f6a5c21054e569b2ef68c8c6ae7834a0700672c1f3ec6e50daf49a3a94 96410865d46cda89c7c34c60d485c2378a98acbba7ead5ada90daa02a94ba299 a98db2098fe9e3e203bed8318ae1d71e8a7b68f801613be10f3917baad7b49b2 b1e30dd3ad2c3290adad848f7199e03f365ecf484c44c6c7eaf42f6b323cd30b 4780442f3cc8d3e1888aa6cecbb05d0c49a6755964eba7a8a6a36d6d2a0ef881 bae07b0c3e4e96731360dc4faa49c0d4abe4d3705e768393f21661c82dea13f3 65c901b19e2eec6b8392100c1073253641a95dd542f39c9ca95755e8a2afde14 30f1f7e848c79212f70794d718d0f3929c24e0f3d28695a7c85a85c77ab7aac9 0752bbdb0c51a519f17a62dd30a033c224c82168522f2c88949b1a0afc8f9037 b9681c178e087140344e6aec2630c61f6a7be92e97ebbe7ce10528f6f0e6028f 6eae10f0b9a62a26b19897f7ba627f92e93e458034939f55f2001835c0e1f1be PA L O A LT O N E T W O R K S + O p e r a t i o n L o t u s B l o s s o m 3 5 Lotus Blossom Command and Control Servers 101.55.120.153 101.55.120.165 101.55.121.47 103.244.91.16 103.246.245.146 103.252.19.13 103.28.46.96 113.10.136.18 113.10.222.157 118.193.212.61 122.10.89.84 122.10.89.85 142.91.252.130 162.211.181.107 162.211.181.26 173.231.49.98 184.22.44.209 202.77.181.179 202.82.202.228 202.82.91.139 203.218.138.30 210.209.127.8 210.209.79.29 218.103.16.153 23.234.63.197 27.255.64.231 45.64.113.130 46.251.237.59 50.7.11.10 58.64.183.92 59.188.247.32 59.6.2.16 61.58.31.102 95.154.195.152 asean-star.com aseaneco.org aseansec.dynalias.org beckhammer.xicp.net boshman09.com chris201.net cpcl2006.dyndns-free.com cybertunnel.dyndns.info harryleed.dyndns.org jackyson.dyndns.info kid.dyndns.org kjd.dyndns.org newinfo32.eicp.net newshappys.dyndns-blog.com petto.mooo.com phil-army.gotdns.org phil-gov.gotdns.org scristioned.dyndns-web.com shotacon.dyndns.info usa-moon.net verolalia.dyndns.org wsi.dyndns.org www.aliancesky.com www.babysoal.com www.boshman09.com www.chris201.net www.iascas.net www.imonju.com www.imonju.net www.interhero.net www.seachers.net www.serchers.net www.tgecc.org www.tintuchoahau.com www.vienclp.com www3.bkav2010.net i Triangle of Life. Snopes. December, 2009. http://www.snopes.com/inboxer/household/triangle.asp ii Targeted Attack Trends 2013 2H. Trend Micro Inc. May 19, 2014. http://www.itu.int/en/ITU-D/Cybersecurity/Documents/2H_2013_Targeted_Attack_Campaign_Report.pdf iii Targeted Attack Trends in Asia-Pacific. Trend Micro Inc. Nov. 20, 2014. http://www.trendmicro.co.in/in/ cloud-content/apac/pdfs/security-intelligence/reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf iv BKDR_ESILE.SMEX. Trend Micro Inc. May 28, 2013. http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_ESILE.SMEX v ESILE Targeted Attack Campaign Hits APAC Governments. Trend Micro Inc. July 28, 2014. http://www.trendmicro.com.my/vinfo/my/security/news/cyber-attacks/ esile-targeted-attack-campaign-hits-apac-governments vi Analysis of Malware Page. Singh, Abhishek. Sept. 12, 2012. https://www.fireeye.com/blog/threat-research/2012/09/analysis-of-malware-page.html vii Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Moran, Ned & Lanstein, Alex https://www.fireeye.com/blog/threat-research/2014/03/ spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html 4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_WP_U42_OLB_061515