Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. TSCookie

TSCookie

TSCookie is a remote access tool (RAT) that has been used byBlackTech in campaigns against Japanese targets.[1][2].TSCookie has been referred to asPLEAD though more recent reporting indicates a separation between the two.[3][2]

ID: S0436
Type: MALWARE
Platforms: Windows
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.
Version: 1.0
Created: 06 May 2020
Last Modified: 16 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.[2][1]

EnterpriseT1059.003Command and Scripting Interpreter:Windows Command Shell

TSCookie has the ability to execute shell commands on the infected host.[1]

EnterpriseT1555.003Credentials from Password Stores:Credentials from Web Browsers

TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.[1]

EnterpriseT1140Deobfuscate/Decode Files or Information

TSCookie has the ability to decrypt, load, and execute a DLL and its resources.[1]

EnterpriseT1573.001Encrypted Channel:Symmetric Cryptography

TSCookie has encrypted network communications with RC4.[1]

EnterpriseT1083File and Directory Discovery

TSCookie has the ability to discover drive information on the infected host.[1]

EnterpriseT1105Ingress Tool Transfer

TSCookie has the ability to upload and download files to and from the infected host.[1]

EnterpriseT1095Non-Application Layer Protocol

TSCookie can use ICMP to receive information on the destination server.[2]

EnterpriseT1057Process Discovery

TSCookie has the ability to list processes on the infected host.[1]

EnterpriseT1055Process Injection

TSCookie has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes.[2]

EnterpriseT1090Proxy

TSCookie has the ability to proxy communications with command and control (C2) servers.[2]

EnterpriseT1016System Network Configuration Discovery

TSCookie has the ability to identify the IP of the infected host.[1]

EnterpriseT1204.001User Execution:Malicious Link

TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.[1]

Groups That Use This Software

IDNameReferences
G0098BlackTech

[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp