ELF_TSCookie - Linux Malware Used by BlackTech -
JPCERT/CC Eyes
By 朝長 秀誠 (Shusei Tomonaga)
Published: 2020-03-04 · Archived: 2026-04-05 19:01:15 UTC
BlackTech
In the past blog articles, we have introduced TSCookie, PLEAD and IconDown, which are used by BlackTech. It
has been identified that this group also uses several other types of malware. While the malware we have already
described infects Windows OS, we have also confirmed that there are TSCookie and PLEAD variants that infect
Linux OS.
This article describes TSCookie for Linux, used by BlackTech.
Difference between TSCookie for Windows and Linux
The function of the two are mostly the same, as many parts of the code are identical. Figure 1 shows the
comparison of code in TSCookie for Windows and for Linux.
Figure 1: Comparison of code in TSCookie for Windows and Linux
(Left: Windows Right: Linux)
While they are mostly the same in terms of the code, the Linux version operates differently with the following
characteristics:
Less configuration
Supports custom communication protocol only
Several functions available by default
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
Page 1 of 7

The details are explained in the next sections.
Less configuration data
As it was described in the past blog entry (Appendix A: TSCookie Configuration), TSCookie for Windows has 17
sets of configuration within the 0xB78 data size. On the other hand, it is reduced to 5 in the Linux version, and the
configuration on proxy communication and others have been excluded. See Appendix A for details.
In the Windows version, the configuration is RC4-encrypted and hardcoded in the malware. For the Linux version,
however, information such as C&C server is copied as a plain text into a dedicated area in the memory and then
RC4-encrypted.It is uncertain why the Linux version malware does not encrypt the configuration with RC4 from
the beginning, but it is possible that coding some parts did not work when copying the code from the Windows
version to the Linux one.
Figure 2: Code for creating configuration
Supports custom communication protocol only
While TSCookie for Windows supports several communication protocols (HTTP, HTTPS and custom protocol),
the Linux version only supports its custom protocol. Figure 3 shows a part of code for communication. It is clear
that the code only covers the custom protocol.
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
Page 2 of 7

Figure 3: Comparison of communication in TSCookie for Windows and Linux
(Left: Windows version Right: Linux version)
The payload itself is RC4-encrypted in both versions, and the format of the data as well as the commands received
in reply remain mostly the same. (See Appendix B for details.)
Several functions available by default
TSCookie for Windows downloads modules and operates accordingly. The Linux version has the following
functions by default, so it conducts malicious activities without downloading extra modules. (See Appendix C for
details.)
Execute arbitrary shell command
Operate files (list, delete, move)
Upload/Download files
In closing
It is assumed that the malware is embedded in a Linux server of a victim organisation by an attacker after
intrusion. If you find any type of malware related to Blacktech in your network, it is recommended that you also
check your Linux environment. Please see Appendix D for the list of C&C servers.
Shusei Tomonaga
(Translated by Yukako Uchida)
Appendix A: ELF_TSCookie Configuration
Table A: Configuration
Offset Description Remarks
0x000
Destination server and port
number
Multiple hosts can be specified by listing with a semicolon
";"
0x400 RC4 key Used for encrypting communication
0x40C Campaign ID
0x44C Communication mode Only supports a custom protocol
0x454 Not used
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
Page 3 of 7

Appendix B: Data exchanged by ELF_TSCookie
Table B-1: Format of sent data
Offset Length Contents
0x00 4 Number of received data (begins with 0xFFFFFFFF)
0x04 4 Length of data sent
0x08 4 Packet number (Used to divide data when the data length is larger than 65440)
0x0C 4 Command (begins with 0x7263BC02)
0x10 4 Whether the data after 0x20 is RC4-encrypted
0x14 4 Not used
0x18 4 0x3001
0x1C 4 RC4 key (random data)
0x20 - Data to be sent (See B-2 for the first communication)
Up to offset 0x1C, the contents are encrypted with the RC4 key and random data in the configuration.
Table B-2: Format of data sent in the first communication after offset 0x20
Offset Length Contents
0x00 4 0x9A65001F
0x04 4 Process ID
0x08 4 Command (0x7263BC02 at the beginning)
0x0C 4 Not used
0x10 4 Data size after offset 0x14
0x14 - Random data
Up to offset 0x14, the contents are encrypted with RC4 key and random data in the configuration.
Table B-3: Format of received data
Offset Length Contents
0x00 4 Number of received data
0x04 4 Length of received data
0x0C 4 Command
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
Page 4 of 7

0x10 4 Whether the data after 0x20 is RC4-encrypted
0x1C 4 RC4 key
0x20 - Data
Up to offset 0x1C, the contents are encrypted with RC4 key in the configuration and another key in the
received data.
Appendix C: ELF_TSCookie commands
Table C: Commands
Value Contents
0x7200AC03 Launch remote shell
0x7200AC04 Send a command to remote shell
0x7200AC05 End remote shell
0x7200AC07 -
0x7200AC0B Returns 0x7263BC06
0x7200AC0C List files
0x7200AC0D Download file
0x7200AC0E Upload file
0x7200AC11 -
0x7200AC13 End bot
0x7200AC16 Delete file
0x7200AC1A Move file
0x7200AC10 Execute command
Appendix D: C&C servers
app.dynamicrosoft.com
home.mwbsys.org
Appendix E: Hash
fc863fbd71e22c99eaa2b1b0eb72d806cedeb536213e600afb03f0fbea9d2bb3
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
Page 5 of 7

朝長 秀誠 (Shusei Tomonaga)
Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially
involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security
monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,
BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.
Related articles
Update on Attacks by Threat Group APT-C-60
CrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
Page 6 of 7

Malware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities
DslogdRAT Malware Installed in Ivanti Connect Secure
Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup
Source: https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
Page 7 of 7