TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese targets.. TSCookie has been referred to as PLEAD though more recent reporting indicates a separation between the two.
|06 May 2020
|15 April 2022
|View In ATT&CK® Navigator
|Application Layer Protocol
|TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.
|Command and Scripting Interpreter
|Windows Command Shell
|TSCookie has the ability to execute shell commands on the infected host.
|Credentials from Password Stores
|Credentials from Web Browsers
|TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.
|Deobfuscate/Decode Files or Information
|TSCookie has the ability to decrypt, load, and execute a DLL and its resources.
|TSCookie has encrypted network communications with RC4.
|File and Directory Discovery
|TSCookie has the ability to discover drive information on the infected host.
|Ingress Tool Transfer
|TSCookie has the ability to upload and download files to and from the infected host.
|Non-Application Layer Protocol
|TSCookie can use ICMP to receive information on the destination server.
|TSCookie has the ability to list processes on the infected host.
|TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes.
|TSCookie has the ability to proxy communications with command and control (C2) servers.
|System Network Configuration Discovery
|TSCookie has the ability to identify the IP of the infected host.
|TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.
Groups That Use This Software