TSCookie

Malware updated 4 months ago (2024-05-05T02:17:33.901Z)
Download STIX
Preview STIX
TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent threat group. The malware operates by exploiting Windows utilities, a technique referred to as "living off the land". TSCookie has been particularly active in conducting attacks against Japanese organizations using a variety of malware types. The structure of TSCookie consists of two main files: TSCookie Loader and TSCookie itself. The loader can be either in EXE or DLL format and is responsible for reading and executing specific files stored in the same folder or certain locations. TSCookie provides parameters such as Command & Control (C&C) server information when loading TSCookieRAT, a remote access tool. This RAT then executes functions based on commands sent from the C&C server. TSCookie communicates with its C&C servers using the HTTP protocol and downloads two key components: "a module" and "a loader" for loading this module. Once downloaded, TSCookie then initiates another module. The malware's activities are concealed within standard HTTP header payloads, making it harder to detect. It's important for organizations to ensure their devices aren't communicating with hosts associated with TSCookie, as listed in Appendix F, to prevent potential breaches.
Description last updated: 2024-05-05T01:31:03.809Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
PLEAD
2
The PLEAD malware is a malicious software that was discovered by ESET researchers in 2019 to be utilized by the Chinese APT group known as BlackTech. The group was found to be performing Man-in-the-Middle (MitM) attacks through compromised ASUS routers and delivering the PLEAD malware through ASUS W
Fakedead
2
FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
BendyBearUnspecified
2
BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
BlackTechUnspecified
2
BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privat
Source Document References
Information about the TSCookie Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
BankInfoSecurity
a year ago
Chinese Hackers Target Routers in IP Theft Campaign
MITRE
2 years ago
Malware “TSCookie” - JPCERT/CC Eyes
MITRE
2 years ago
Malware Used by BlackTech after Network Intrusion - JPCERT/CC Eyes