{ "id": "ec02ba81-51c7-41ac-bdc9-1c958d870f9d", "created_at": "2026-04-06T00:19:14.946752Z", "updated_at": "2026-04-10T13:11:29.952502Z", "deleted_at": null, "sha1_hash": "38526774d000095e8b66228e7e1751c06aef5ece", "title": "Malware Used by BlackTech after Network Intrusion - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 493952, "plain_text": "Malware Used by BlackTech after Network Intrusion -\r\nJPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2019-09-17 · Archived: 2026-04-05 17:14:01 UTC\r\nTool\r\nBlackTech\r\nPreviously, we explained about malware \"TSCookie\" and \"PLEAD\" which are used by an attack group\r\nBlackTech. Their activities have been continuously observed in Japan as of now. We have been seeing that a new\r\nmalware variant is being used after they successfully intruded into a target network. This article explains the\r\ndetails of the variant.\r\nTSCookie used after intrusion\r\nThe malware consists of 2 files (TSCookie Loader and TSCookie) as in Figure 1.\r\nFigure 1: Overview of TSCookie Loader and TSCookie\r\nTSCookie Loader is either in EXE or DLL format, and it reads and executes specific files stored in the same folder\r\nor the following locations. (The folders may vary depending on the sample.)\r\nC:\\Windows\r\nC:\\ProgramData\\Microsoft\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 1 of 8\n\nC:\\Users\\Public\\Documents\r\nC:\\Program Files\\Internet Explorer\r\nIt reads files that match the following file names:\r\ndesktop.db\r\nFiles with name that match 7???. (wildcard)\r\nFiles with name that match 8???. (wildcard)\r\nFor example, files names such as KB78E7269.log and PM89E7267.xml have been confirmed.\r\nTSCookie is RC4-encrypted and can be decoded by TSCookie Loader before being executed on the memory.\r\nTSCookie itself is a downloader and operates according to modules downloaded from an external server. Some\r\ncharacteristics such as configuration and communication protocols differ between TSCookie and the variant.\r\nDetails of TSCookie behaviour is described in the following section.\r\nTSCookie behaviour\r\nTSCookie supports multiple communication protocols (HTTP, HTTPS and custom protocol). The protocol that\r\neach sample uses is described in its configuration. (Please see Appendix A for the details of the configuration.)\r\nIf it is configured to use HTTP protocol, the following HTTP POST request is sent:\r\nPOST /index?o=E7E168C4EC82E HTTP/1.1\r\nCache-Control: no-cache\r\nPragma: no-cache\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)\r\nProxy-Connection: Keep-Alive\r\nContent-Length: [size]\r\nHost: [host name]\r\n[Data]\r\nThere are several patterns of URL path, which are dynamically created with the following random strings and\r\nvalues. (Some of them are described with format specifiers. Other patterns also exist.)\r\n/news?%c=%X%X\r\n/index?%c=%X%X\r\n/?id=%X%X\r\n/Default.aspx?%c=%X%X\r\n/m%u.jsp?m=%d\r\n/N%u.jsp?m=%d\r\nSent data is RC4-encrypted. Please see Table B-1 and B-2 in Appendix B for the format of the data.\r\nData downloaded by the HTTP POST request is RC4-encrypted by the 8-byte value consisting of the RC4 key\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 2 of 8\n\n(Table A-1 in Appendix A) and another value in the received data (RC4 key as in Table B-3 in Appendix B). The\r\ndownloaded data contains modules, and they are executed on the memory.\r\nTSCookie decoding tool\r\nWe have developed a tool to decode TSCookie files and extract configuration. This is available on GitHub for\r\nyour use.\r\nJPCERTCC/aa-tools - GitHub\r\nhttps://github.com/JPCERTCC/aa-tools/blob/master/tscookie_data_decode.py\r\nIn closing\r\nWe have received many reports about TSCookie infection. Please make sure that there is no infection in your\r\norganisation, referring to the file names and communication protocols described in this article. The hash value of\r\nthe samples described in this article are listed in Appendix C.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nAppendix A: TSCookie Configuration\r\nTable A: Configuration\r\nOffset Contents Remarks\r\n0x000 Destination server and port number\r\nMultiple hosts can be specified by listing with a\r\nsemicolon \";\"\r\n0x400 RC4 key Used for encryption\r\n0x404 Sleep times\r\n0x42C Mutex\r\n0x44C Communication mode\r\n- 1,2,3: HTTP protocol supporting authentication proxy\r\n- 6,7,8: HTTPS protocol\r\n- 0: Custom protocol\r\n- 5: HTTP protocol\r\n0x454 HTTP connection keep\r\n0x458 ICMP recipient setting Receive information of the destination server by ICMP\r\n0x4D4\r\nIP address to receive ICMP\r\ncommunication\r\n0x624 Process injection mode - 0: Launch\r\n- 1: Already running\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 3 of 8\n\n- 2: Launch offset 0x62C\r\n0x628 Process to be injected\r\n- 0: svchost.exe\r\n- 1: iexplorer.exe\r\n- 2: explorer.exe\r\n- 3: Default Browser\r\n- 4: Process in offset 0x62C\r\n0x62C Process name\r\n0x72C Proxy server\r\n0x76C Proxy port number\r\n0x770 Proxy username\r\n0x790 Proxy password\r\n0x7B0 Proxy mode\r\n- 1: Use configuration data\r\n- 0: Detect Proxy automatically\r\n0x7B4 Proxy authentication process AuthScheme\r\nSome samples may not inject processes.\r\nAppendix B: Data exchanged by TSCookie\r\nTable B-1: Format of sent data\r\nOffset Length Contents\r\n0x00 4 Number of received data (begins with 0xFFFFFFFF)\r\n0x04 4 Length of data sent\r\n0x08 4 Times of communication\r\n0x0C 4\r\nFixed value (Set to 0x5322 at the beginning, then to 0x5324 or 0x5325 while receiving\r\nmodules)\r\n0x1C 4 Random data (RC4 key)\r\n0x20 - Random data after first communication (See Table B-2 for first communication)\r\nUp to offset 0x1C, the contents are RC4-encrypted with the key in the configuration and random data.\r\nTable B-2: Data format of first communication after offset 0x20\r\nOffset Length Contents\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 4 of 8\n\n0x00 4 0x9A65001E\r\n0x04 4 Process ID\r\n0x08 4 0x5322\r\n0x0C 4 Random data\r\n0x10 4 Data size from offset 0x14\r\n0x14 - Random data (RC4 key)\r\nUp to offset 0x14, the contents are RC4-encrypted with the key in the configuration and random data.\r\nTable B-3: Format of received data\r\nOffset Length Contents\r\n0x00 4 Number of received data\r\n0x04 4 Length of received data\r\n0x0C 4 -\r\n0x10 4 Whether the contents from offset 0x20 is encrypted\r\n0x1C 4 RC4 key\r\n0x20 - Module data\r\nUp to 0x1C, the contents are RC4-encrypted with the key contained in the configuration and another key in\r\nthe received data.\r\nAppendix C: SHA-256 value of the samples\r\nTSCookie Loader\r\n072f24d2691fb3930628be91bc46cefb8bc3364d1d09d72ab0cb3863681cb107\r\nf49956f498042feb237c3e898f74a8e14500c27cda2746efca2d973a5390baa8\r\n3e12938df72380e4ae7a2dcb3322e563de3da102f5f32b26a29662ba594e73d1\r\n23ca1a3ca26ada00502bbd1abf4d42302343dafba32cbc0711847d52884ff8e1\r\n6ec56de53ef1ea66c81b3e48f9a9b3cf3dc8e3ebda1ec08bf95cc21228a4c7b3\r\nbd89b972de19c8ab2be0fb3e2aa44638a95e465e4b52920c94e6f59c25ce4693\r\nc5d7e5a12c8eab9c14f008c93d92e0070f84f358d39f28ac089ee917c652f5a8\r\n85536a139b9d44157aea2908a6a6e53e4ac19077355680b69edd8e84c70254bc\r\n0d00d12d71dd080d2861e9da89906a67bb822c64366b4c6b72a55bb8c26a4ea3\r\n81dfce847a9fd6a3a0080a927bbb740709bdcc099bfe1b0cfc99958f6ddeb52f\r\n48fdc29e7f47e5d38c88a89667ed85740628bf4f4ce95045019f7ebfeb4bbb5c\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 5 of 8\n\nd5909d06ddb394dea114052e9e174fa1e88324d805d153edb6076c53842fd2f2\r\n9e10a1abbff4d421eaee20040fb2a9270c4efb6d75ee6cd728b09bac1042bfa6\r\nae5528cc802c81946f2787c7e884656416acebc89466989eeca9379fa066ad96\r\n69b07aae04af6ca57d6066fdcbfeeb4c4849bfd2cd65b01c1e576f45b1c24d79\r\n784b331d30d46ee9e7a264ecb45e3a39d7cef135d189bf0e712e89935728c13f\r\n0eb9947a1ef4b810517f6cba175a321c4d69c3058d688bdd73492d54e7932c86\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 6 of 8\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 7 of 8\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nhttps://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html" ], "report_names": [ "tscookie-loader.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434754, "ts_updated_at": 1775826689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38526774d000095e8b66228e7e1751c06aef5ece.pdf", "text": "https://archive.orkl.eu/38526774d000095e8b66228e7e1751c06aef5ece.txt", "img": "https://archive.orkl.eu/38526774d000095e8b66228e7e1751c06aef5ece.jpg" } }