# Bug in Malware “TSCookie” - Fails to Read Configuration - (Update) **blogs.jpcert.or.jp/en/2019/05/tscookie3.html** 朝長 [秀誠 (Shusei Tomonaga)](https://blogs.jpcert.or.jp/en/shu_tom/) May 30, 2019 [BlackTech](https://blogs.jpcert.or.jp/en/tags/blacktech/) [Email](http://10.10.0.46/mailto:?subject=Bug%20in%20Malware%20%E2%80%9CTSCookie%E2%80%9D%20-%20Fails%20to%20Read%20Configuration%20-%20%28Update%29&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2019%2F05%2Ftscookie3.html) [Our past article has presented a bug in malware “TSCookie”, which is reportedly used by](https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html) BlackTech attack group. This article is to update the features of the malware. Even after we published the blog article in October 2018, the adversary had continued using the malware as it was. Just in May 2019, we confirmed that the malware had its bug fixed and was used in some attack cases. ## Details of the fix The malware copies its configuration to the memory. In the previous version, the data size to be copied was incorrectly set, which resulted in the configuration not displayed properly (see the [article for more details). In the updated version, the data size is set to 0x1000 instead of](https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html) 0x8D4. Fig 1: Updates in TSCookie (Left: Code with the bug / Right: Updated code) ----- This update enables TSCookie to decode the configuration correctly. Fig 2 is the comparison of decoded configuration. This update has also fixed the issue where the malware fails to reconnect to a C&C server for a few days. Fig 2: Decoded configurations of TSCookie (Left: Sample with the bug / Right: Updated sample) ## In closing As we pointed out before, it is likely that adversaries also follow publications and blogs from security vendors, etc. We assume that the adversary recognised the bug on our blog and fixed the issue accordingly. If we see any updates on the malware, we will introduce them here. Hash values of the samples described in the article are listed in Appendix A, along with C&C servers in Appendix B. Please make sure that none of your devices is accessing these hosts. Thank you for reading. Shusei Tomonaga (Translated by Yukako Uchida) **Appendix A: Hash value of the samples** Malware with the bug 96723797870a5531abec4e99fa84548837e9022e9f22074cf99973ab7df2a2e7 Updated malware 1ec19677d1e48e4f6ff5f9fe7808b13964059e2ffd48ece19f7305d78e04ec4a c2c062ff84a18ad02e92dea0d6e12cafa66ff167ea8d02663fc9aae44de7f4e0 **Appendix B: List of C&C servers** www.google.com.dns-report.com ----- microsoft.com.appstore.dynamicdns.co.uk cartview.viamisoftware.com [Email](http://10.10.0.46/mailto:?subject=Bug%20in%20Malware%20%E2%80%9CTSCookie%E2%80%9D%20-%20Fails%20to%20Read%20Configuration%20-%20%28Update%29&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2019%2F05%2Ftscookie3.html) Author 朝長 [秀誠 (Shusei Tomonaga)](https://blogs.jpcert.or.jp/en/shu_tom/) Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer. Was this page helpful? 0 people found this content helpful. If you wish to make comments or ask questions, please use this form. This form is for comments and inquiries. For any questions regarding specific commercial products, please contact the vendor. please change the setting of your browser to set JavaScript valid. Thank you! [Back](https://blogs.jpcert.or.jp/en/2019/05/visit-to-indonesia---everybody-can-hack-id-sirtiicc.html) [Top](https://blogs.jpcert.or.jp/en/) [Next](https://blogs.jpcert.or.jp/en/2019/06/darkhotel-lnk.html) -----