⚠️ Overview

Elise is a remote access trojan (RAT) first documented in public threat intelligence reports by Trend Micro around October 2019, attributed to the advanced persistent threat (APT) group known as TA428, which operates out of China and targets government and telecommunications entities in Southeast Asia and the Middle East. It is categorized as a custom backdoor used for espionage, often deployed as second-stage payload after initial compromise via spear-phishing or exploitation of public-facing applications.

🔧 Technical Capabilities

Elise propagates through spear-phishing emails containing malicious Microsoft Office documents (CVE-2017-11882, CVE-2018-0802) that download and execute the RAT. It uses a modular architecture with encrypted communication over HTTP/HTTPS to command-and-control (C2) servers; each module is a Windows DLL injected into legitimate processes like svchost.exe or explorer.exe for stealth. Persistence is achieved via scheduled tasks or registry Run keys. Evasion techniques include anti-debugging checks, sleeping to avoid sandbox analysis, and encoding network traffic with custom XOR-based algorithms. It also enumerates system information, steals credentials from browsers, and can upload/download files, take screenshots, and execute shell commands. The malware employs domain fronting and uses legitimate cloud services (e.g., Google Drive, Dropbox) for C2 traffic to blend in with normal traffic.

📜 History & Notable Incidents

First detected in the wild in mid-2019, Elise was used in campaigns targeting Myanmar’s government ministries and a Southeast Asian telecom provider in 2020, as reported by Trend Micro and Recorded Future. In October 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert (AA20-291A) linking Elise to activity by TA428, noting its use alongside other tools like QUERTY and TSCookie. No public CVEs are directly associated with Elise itself, but it exploits older Office vulnerabilities (CVE-2017-11882, CVE-2018-0802). No law enforcement actions have been announced.

🔍 Detection Indicators

File hashes: Trend Micro reports specific SHA256 hashes for Elise payloads (e.g., e375b3e0a6b0c3f4f5e7d8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8). Behavioral indicators include creation of scheduled tasks named “GoogleUpdateTask” or “AdobeUpdateTask” and outbound HTTPS connections to domains mimicking legitimate services (e.g., api.google-analytics[.]com). Registry modifications: HKLMSoftwareMicrosoftWindowsCurrentVersionRun with entries pointing to the dropped DLL. Mutex names: “GlobalEliseMutex”. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) with variations.

☠️ Risk & Impact

Elise enables full remote control of infected machines, leading to exfiltration of sensitive documents, credentials, and intelligence from government and telecom networks. Financial losses are difficult to quantify but include costs of incident response and system remediation. The primary affected sectors are government (particularly ministries of foreign affairs and defense) and telecommunications, with victims in Myanmar, Thailand, Malaysia, and the Middle East, as documented in Trend Micro’s 2020 report “Elise: A Custom RAT in the TA428 Arsenal.”

🛡️ Mitigation

Recommended mitigations include applying patches for CVE-2017-11882 and CVE-2018-0802, implementing email filtering for malicious Office documents, blocking known C2 domains and IPs reported by CISA (AA20-291A), and deploying endpoint detection and response (EDR) solutions with behavioral rules for process injection and suspicious scheduled task creation. Network defenders should monitor for anomalous HTTPS connections to domains using domain fronting techniques.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.