{ "id": "6ef9d4cc-c47a-4123-9d96-4f091be6c5d2", "created_at": "2026-04-06T00:15:45.794809Z", "updated_at": "2026-04-10T03:32:09.298642Z", "deleted_at": null, "sha1_hash": "c7e71326d026cc46c7eb49de77a8193fe131afbb", "title": "Bug in Malware “TSCookie” - Fails to Read Configuration - - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 865806, "plain_text": "Bug in Malware “TSCookie” - Fails to Read Configuration - -\r\nJPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2018-11-11 · Archived: 2026-04-05 18:17:19 UTC\r\nBlackTech\r\nIn a previous article we have introduced malware ‘TSCookie’, which is assumedly used by an attacker group\r\nBlackTech. We have been observing continuous attack activities using the malware until now. In the investigation\r\nof an attack observed around August 2018, we have confirmed that there was an update in the malware. There are\r\ntwo points meriting attention in this update:\r\nCommunication with C\u0026C server\r\nDecoding configuration information\r\nThis article will introduce the details of the update.\r\nCommunication with C\u0026C server\r\nIn the previous version, TSCookie included encrypted contents in the Cookie header to communicate to a C\u0026C\r\nserver.\r\nGET /Default.aspx HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nDate: Thu, 18 Jan 2018 10:20:55 GMT\r\nPragma: no-cache\r\nAccept: */*\r\nCookie: 1405D7CD01C6978E54E86DA9525E1395C4DD2F276DD28EABCC3F6201ADAA66F55C15352D29D0FFE51BC9D431EB23E\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)\r\nHost:[host name]:443\r\nIn the new version, Cookie header is no longer used. Instead, encrypted contents are placed within the URL\r\nparameter as below:\r\nGET /t3328483620.aspx?m=4132641264\u0026i=44D6CF457ADC27B2AFAAEAA\u0026p=EF4D5069C30D6CAC9 HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: Keep-Alive\r\nPragma: no-cache\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)\r\nHost: [host name]:443\r\nhttps://blogs.jpcert.or.jp/en/2018/11/tscookie2.html\r\nPage 1 of 6\n\nIf received an ack from the server to this HTTP GET request, an HTTP POST request will be sent as a next step.\r\nThe communication feature is the same as the previous TSCookie.\r\nFor encryption, RC4 is still used, but the key is generated differently. Here is an example code for decoding HTTP\r\nGET request parameter.\r\ndata = \"\u0026\" + sys.argv[1] # sys.argv[1] = URL path\r\nconf_key = sys.argv[2].decode(\"hex\") # sys.argv[2] = Configuration key\r\nfield = data.split(\"\u0026\")\r\nurl_key = field[1]\r\ni=2\r\nencdata = \"\"\r\nwhile i\u003clen(field):\r\n value = field[i].split(\"=\")\r\n encdata += value[1]\r\n i+=1\r\nkey1 = 0\r\nfor i in range(len(url_key)):\r\n key1 = ord(url_key[i]) + ROR(key1, 13)\r\n key1 = key1 \u0026 0xFFFFFFFF\r\nkey2 = 0\r\nfor i in range(len(conf_key)):\r\n key2 = ord(conf_key[i]) + ROR(key2, 13)\r\n key2 = key2 \u0026 0xFFFFFFFF\r\nkey = pack(\"I\", key1) + pack(\"I\", key2)\r\ndecode_data = rc4(encdata.decode('hex'), key)\r\nDecoding configuration information\r\nTSCookie possesses its own configuration information and operates accordingly. The details of the configuration\r\nremain the same in the new version. The difference is the decoding method of the configuration. Previously,\r\nTSCookie had its 4-byte RC4 key in the beginning of the configuration, which was used for decoding. In the new\r\nversion, the size is expanded to 0x80 bytes (Figure 1).\r\nhttps://blogs.jpcert.or.jp/en/2018/11/tscookie2.html\r\nPage 2 of 6\n\nFigure 1: RC4 key and encrypted configuration\r\nWe have confirmed that this update made TSCookie fail to read part of the configuration. Figure 2 shows the code\r\ncopying encrypted configuration (0x8D0 bytes) and RC4 key (0x80 bytes).\r\nFigure 2: Code copying RC4 Key and encrypted configuration\r\nThe code copies data sized 0x8D4 (0x8D0 + 4 bytes), which ignores the updated RC4 key size. To copy the\r\nupdated RC4 key and configuration correctly, it needs to be set to 0x950 (0x8D0 + 0x80 bytes). With this fault,\r\nconfiguration cannot be decoded properly. Figure 3 describes how TSCookie configuration is decoded.\r\nhttps://blogs.jpcert.or.jp/en/2018/11/tscookie2.html\r\nPage 3 of 6\n\nFigure 3: Decoded TSCookie configuration\r\n(Left: Copy size 0x8D4, Right: Copy size 0x950)\r\nDecoded results differ in the left figure (with the wrong, smaller copy size) and right figure (with correct,\r\nexpanded copy size). Data at 0x89C byte (4 bytes) specifies the waiting time (seconds) before reconnecting to a\r\nC\u0026C server. The attackers initially set this to 99 (0x63) seconds (as in the right figure), however, it will not be\r\nreconnected for few days since it is not read properly (left figure).\r\nIn closing\r\nIt is often the case that attackers give an update to their malware based on analysis reports provided from security\r\nvendors. We assume that this bug will be fixed sooner or later. We will update when we confirm new malware\r\nfeatures.\r\nThe malware sample’s hash value is available in Appendix A, and we also list some C\u0026C servers in Appendix B.\r\nWe hope this is helpful in identifying signs of infection.\r\n(Translated by Yukako Uchida)\r\nAppendix A SHA-256 Hash Value of a sample\r\na5c75f4d882336c670f48f15bf3b3cc3dfe73dba7df36510db0a7c1826d29161\r\nAppendix B C\u0026C server\r\nmediaplayer.dnset.com\r\nmediaplayers.ssl443.org\r\nfashion.androiddatacenter.com\r\nsakurings.flnet.org\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nhttps://blogs.jpcert.or.jp/en/2018/11/tscookie2.html\r\nPage 4 of 6\n\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2018/11/tscookie2.html\r\nPage 5 of 6\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html\r\nhttps://blogs.jpcert.or.jp/en/2018/11/tscookie2.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html" ], "report_names": [ "tscookie2.html" ], "threat_actors": [ { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434545, "ts_updated_at": 1775791929, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c7e71326d026cc46c7eb49de77a8193fe131afbb.pdf", "text": "https://archive.orkl.eu/c7e71326d026cc46c7eb49de77a8193fe131afbb.txt", "img": "https://archive.orkl.eu/c7e71326d026cc46c7eb49de77a8193fe131afbb.jpg" } }