Tuesday, February 20, 2018

Latest Elise APT comes packed with Sandbox Evasions

Recently we came across an interesting sample which seems to be related to Elise Malware. Elise is tight to the Dragon Fish and Lotus Blossom APT groups which primary targets governments and defense contractors. Elise is known to infect victims by using the latest exploits available and is often packed with interesting Sandbox evasion techniques.

In this blog post, we will dissect the latest version of Elise.

The sample under investigation is distributed as an Office document lure. To be more precise in Rich Text Format.


We start the analysis by having a look at the behavior graph and acknowledge that the process EQNEDT32.EXE was started among Winword.exe:

This process is the Microsoft Office Equation Editor. In November 2017 the security company Embedi detected an exploit in EQNEDT32.EXE which later got the identification CVE-2017-11882. Microsoft patched the flaw in November.

So, is Elise using this exploit? To answer this question we had a detailed look at the exploit itself. The outcome: no it is not CVE-2017-11882 but rather CVE-2018-0802. CVE-2018-0802? This a second exploit also included in EQNEDT32.EXE which was detected in later December.

We extracted the trampoline and shellcode:

The code renames and loads the PE file (named a.b) previously dropped by Word. The newly loaded code is then injected into IExplorer.exe where the main payload is executed:

Sandbox Evasions

Elise performs a variety of sandbox checks in In IExplorer:

VMware backdoor check
Disk Name Check
Check for various Analysis Tools
Process Check

Mac Address Check


After passing all the sandbox checks Elise creates an autostart key:

Thanks to Hybrid Code Analysis we can also detect all malicious functionalities:

Add a Proxy to Internet Explorer
Add a Proxy to Firefox

Finally, in function 514D05, 5159AF and 515486 we find the download, upload and command execution handlers. Elise can collect and upload the following data:

  • CPU Usage
  • Ram (size/free)
  • Disk space (size/free)
  • Windows Version
  • Username
  • Locale
  • Timezone
  • SID
  • List of tasks
  • List of network adapters
  • List of files on Desktop

Final Words

Elise is a very advanced piece of malware using for its distribution only the latest exploits. Before the main payload is executed many different Sandbox evasions are performed. The payload and the communication code is injected into IExplorer likely bypassing PFW and HIPS. 

Interested in trying out Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!