Malware: TSCookie

Description

[TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)

External References

• mitre-attack
• JPCert PLEAD Downloader June 2018
• JPCert TSCookie March 2018
• JPCert BlackTech Malware September 2019

Techniques Used by This Malware

• T1016 — System Network Configuration Discovery
• T1055 — Process Injection
• T1057 — Process Discovery
• T1059.003 — Windows Command Shell
• T1071.001 — Web Protocols
• T1083 — File and Directory Discovery
• T1090 — Proxy
• T1095 — Non-Application Layer Protocol
• T1105 — Ingress Tool Transfer
• T1140 — Deobfuscate/Decode Files or Information
• T1204.001 — Malicious Link
• T1555.003 — Credentials from Web Browsers
• T1573.001 — Symmetric Cryptography

APT Groups Using This Malware

• BlackTech