TSCookie

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
TSCookie is a malware that has been associated with various backdoors such as BendyBear, BIFROSE (Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (DBGPRINT). It's also known as FakeDead and is used in conjunction with other tools like BendyBear and Flagpro by BlackTech, an advanced persistent threat group. The malware operates by exploiting Windows utilities, a technique referred to as "living off the land". TSCookie has been particularly active in conducting attacks against Japanese organizations using a variety of malware types. The structure of TSCookie consists of two main files: TSCookie Loader and TSCookie itself. The loader can be either in EXE or DLL format and is responsible for reading and executing specific files stored in the same folder or certain locations. TSCookie provides parameters such as Command & Control (C&C) server information when loading TSCookieRAT, a remote access tool. This RAT then executes functions based on commands sent from the C&C server. TSCookie communicates with its C&C servers using the HTTP protocol and downloads two key components: "a module" and "a loader" for loading this module. Once downloaded, TSCookie then initiates another module. The malware's activities are concealed within standard HTTP header payloads, making it harder to detect. It's important for organizations to ensure their devices aren't communicating with hosts associated with TSCookie, as listed in Appendix F, to prevent potential breaches.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Fakedead
2
FakeDead, also known as TSCookie, is a potent malware that has been linked to a series of backdoors including BendyBear, BIFROSE (or Bifrost), Consock, KIVARS, PLEAD, XBOW, and Waterbear (also known as DBGPRINT). This malicious software infiltrates systems typically through suspicious downloads, ema
PLEAD
2
The PLEAD malware is a malicious software that was discovered by ESET researchers in 2019 to be utilized by the Chinese APT group known as BlackTech. The group was found to be performing Man-in-the-Middle (MitM) attacks through compromised ASUS routers and delivering the PLEAD malware through ASUS W
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Malware
Loader
Payload
Downloader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BendyBearUnspecified
2
BendyBear is a sophisticated x64 shellcode malware that requires loader or code injection for deployment. It contains advanced features not typically found in shellcode, making it a potent threat to computer systems. BendyBear, along with other specific malware strains such as Bifrose, SpiderPig, an
FlagproUnspecified
1
Flagpro is a malicious software (malware) used by threat actors to exploit and damage computer systems. The malware was first observed in attacks against Japan in October 2020, with new versions using the Microsoft Foundation Class (MFC) library identified by Security Operations Centers (SOCs) in Ju
WaterbearUnspecified
1
WaterBear is a sophisticated form of malware, known for its ability to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or hold data hostag
BifroseUnspecified
1
Bifrose, a form of malicious software (malware), is designed to exploit and damage computer systems. It infiltrates the user's device without their knowledge via suspicious downloads, emails, or websites. Once inside the system, Bifrose can steal personal information, disrupt operations, and even ho
DbgprintUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackTechUnspecified
2
BlackTech is a threat actor, or a group responsible for carrying out malicious cyber activities. Known for its links to China, BlackTech focuses on gathering intelligence from technology and government organizations, predominantly in the Asia-Pacific region. This group has shown a high degree of sop
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TSCookie Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
China's BlackTech Hacking Group Exploited Routers to Target U.S. and Japanese Companies
BankInfoSecurity
10 months ago
Chinese Hackers Target Routers in IP Theft Campaign
MITRE
a year ago
Malware “TSCookie” - JPCERT/CC Eyes
MITRE
a year ago
Malware Used by BlackTech after Network Intrusion - JPCERT/CC Eyes