ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool ELMER

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: ELMER

NamesELMER
Elmost
CategoryMalware
TypeReconnaissance, Backdoor, Info stealer, Exfiltration
Description(FireEye) The exploit documents delivered during the December campaigns dropped a binary containing an embedded variant of a backdoor we refer to as ELMER. ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings.

To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed. Table 2 lists the ELMER backdoors observed during the December campaigns.
Information<https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html>
MITRE ATT&CK<https://attack.mitre.org/software/S0064/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

All groups using tool ELMER

ChangedNameCountryObserved

APT groups

 APT 16, SVCMONDRChina2015 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key