TSCookie

Malware updated 23 days ago (2024-11-29T14:02:08.664Z)
Download STIX
Preview STIX
TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent threat group. The malware operates by exploiting Windows utilities, a technique referred to as "living off the land". TSCookie has been particularly active in conducting attacks against Japanese organizations using a variety of malware types. The structure of TSCookie consists of two main files: TSCookie Loader and TSCookie itself. The loader can be either in EXE or DLL format and is responsible for reading and executing specific files stored in the same folder or certain locations. TSCookie provides parameters such as Command & Control (C&C) server information when loading TSCookieRAT, a remote access tool. This RAT then executes functions based on commands sent from the C&C server. TSCookie communicates with its C&C servers using the HTTP protocol and downloads two key components: "a module" and "a loader" for loading this module. Once downloaded, TSCookie then initiates another module. The malware's activities are concealed within standard HTTP header payloads, making it harder to detect. It's important for organizations to ensure their devices aren't communicating with hosts associated with TSCookie, as listed in Appendix F, to prevent potential breaches.
Description last updated: 2024-05-05T01:31:03.809Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
PLEAD is a possible alias for TSCookie. PLEAD is a sophisticated malware, suspected to be associated with the Chinese APT group known as BlackTech. First observed in the wild in 2015, it was discovered by ESET researchers in 2019 that BlackTech was using compromised ASUS routers to perform Man-in-the-Middle (MitM) attacks and deliver the
2
Fakedead is a possible alias for TSCookie. FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The BendyBear Malware is associated with TSCookie. BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, anUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The BlackTech Threat Actor is associated with TSCookie. BlackTech, a China-linked Advanced Persistent Threat (APT) group, poses a significant cybersecurity threat due to its sophisticated and covert hacking activities. As a threat actor, BlackTech's operations involve executing actions with malicious intent, which can be attributed to individuals, privatUnspecified
2
Source Document References
Information about the TSCookie Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more