S0436 TSCookie
TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.
| Item |
Value |
| ID |
S0436 |
| Associated Names |
|
| Type |
MALWARE |
| Version |
1.0 |
| Created |
06 May 2020 |
| Last Modified |
15 April 2022 |
| Navigation Layer |
View In ATT&CK® Navigator |
Techniques Used
| Domain |
ID |
Name |
Use |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
TSCookie has the ability to execute shell commands on the infected host. |
| enterprise |
T1555 |
Credentials from Password Stores |
- |
| enterprise |
T1555.003 |
Credentials from Web Browsers |
TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
TSCookie has the ability to decrypt, load, and execute a DLL and its resources. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
TSCookie has encrypted network communications with RC4. |
| enterprise |
T1083 |
File and Directory Discovery |
TSCookie has the ability to discover drive information on the infected host. |
| enterprise |
T1105 |
Ingress Tool Transfer |
TSCookie has the ability to upload and download files to and from the infected host. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
TSCookie can use ICMP to receive information on the destination server. |
| enterprise |
T1057 |
Process Discovery |
TSCookie has the ability to list processes on the infected host. |
| enterprise |
T1055 |
Process Injection |
TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes. |
| enterprise |
T1090 |
Proxy |
TSCookie has the ability to proxy communications with command and control (C2) servers. |
| enterprise |
T1016 |
System Network Configuration Discovery |
TSCookie has the ability to identify the IP of the infected host. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.001 |
Malicious Link |
TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan. |
Groups That Use This Software
References