# Malware Used by BlackTech after Network Intrusion

**blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html**

朝長 [秀誠 (Shusei Tomonaga)](https://blogs.jpcert.or.jp/en/shu_tom/)

September 18, 2019

[Tool](https://blogs.jpcert.or.jp/en/tags/tool/)
[BlackTech](https://blogs.jpcert.or.jp/en/tags/blacktech/)

[Email](http://10.10.0.46/mailto:?subject=Malware%20Used%20by%20BlackTech%20after%20Network%20Intrusion&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2019%2F09%2Ftscookie-loader.html)

[Previously, we explained about malware "TSCookie" and](https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html) ["PLEAD" which are used by an](https://blogs.jpcert.or.jp/en/2018/06/plead-downloader-used-by-blacktech.html)
attack group BlackTech. Their activities have been continuously observed in Japan as of
now. We have been seeing that a new malware variant is being used after they successfully
intruded into a target network. This article explains the details of the variant.

### TSCookie used after intrusion

The malware consists of 2 files (TSCookie Loader and TSCookie) as in Figure 1.

Figure 1: Overview of

TSCookie Loader and TSCookie


-----

TSCookie Loader is either in EXE or DLL format, and it reads and executes specific files
stored in the same folder or the following locations. (The folders may vary depending on the
sample.)

C:\Windows
C:\ProgramData\Microsoft
C:\Users\Public\Documents
C:\Program Files\Internet Explorer

It reads files that match the following file names:

desktop.db
Files with name that match 7???. (wildcard)
Files with name that match 8???. (wildcard)

For example, files names such as KB78E7269.log and PM89E7267.xml have been
confirmed.
TSCookie is RC4-encrypted and can be decoded by TSCookie Loader before being
executed on the memory. TSCookie itself is a downloader and operates according to
modules downloaded from an external server. Some characteristics such as configuration
and communication protocols differ between TSCookie and the variant.
Details of TSCookie behaviour is described in the following section.

### TSCookie behaviour

TSCookie supports multiple communication protocols (HTTP, HTTPS and custom protocol).
The protocol that each sample uses is described in its configuration. (Please see Appendix A
for the details of the configuration.)

If it is configured to use HTTP protocol, the following HTTP POST request is sent:
```
POST /index?o=E7E168C4EC82E HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Proxy-Connection: Keep-Alive
Content-Length: [size]
Host: [host name]
[Data]

```
There are several patterns of URL path, which are dynamically created with the following
random strings and values. (Some of them are described with format specifiers. Other
patterns also exist.)

/news?%c=%X%X
/index?%c=%X%X


-----

/?id=%X%X
/Default.aspx?%c=%X%X
/m%u.jsp?m=%d
/N%u.jsp?m=%d

Sent data is RC4-encrypted. Please see Table B-1 and B-2 in Appendix B for the format of
the data.
Data downloaded by the HTTP POST request is RC4-encrypted by the 8-byte value
consisting of the RC4 key (Table A-1 in Appendix A) and another value in the received data
(RC4 key as in Table B-3 in Appendix B). The downloaded data contains modules, and they
are executed on the memory.

### TSCookie decoding tool

We have developed a tool to decode TSCookie files and extract configuration. This is
available on GitHub for your use.

JPCERTCC/aa-tools - GitHub

[https://github.com/JPCERTCC/aa-tools/blob/master/tscookie_data_decode.py](https://github.com/JPCERTCC/aa-tools/blob/master/tscookie_data_decode.py)

### In closing

We have received many reports about TSCookie infection. Please make sure that there is no
infection in your organisation, referring to the file names and communication protocols
described in this article. The hash value of the samples described in this article are listed in
Appendix C.

Shusei Tomonaga

(Translated by Yukako Uchida)

**Appendix A: TSCookie Configuration**

Table A: Configuration

Offset Contents Remarks


0x000 Destination server and port
number


Multiple hosts can be specified by listing with
a semicolon ";"


0x400 RC4 key Used for encryption

0x404 Sleep times

0x42C Mutex


-----

0x44C Communication mode - 1,2,3: HTTP protocol supporting
authentication proxy

                      - 6,7,8: HTTPS protocol

                       - 0: Custom protocol

                      - 5: HTTP protocol

0x454 HTTP connection keep

0x458 ICMP recipient setting Receive information of the destination server
by ICMP

0x4D4 IP address to receive ICMP
communication

0x624 Process injection mode - 0: Launch

                       - 1: Already running

                      - 2: Launch offset 0x62C

0x628 Process to be injected - 0: svchost.exe

                         - 1: iexplorer.exe

                        - 2: explorer.exe

                       - 3: Default Browser

                       - 4: Process in offset 0x62C

0x62C Process name

0x72C Proxy server

0x76C Proxy port number

0x770 Proxy username

0x790 Proxy password

0x7B0 Proxy mode - 1: Use configuration data

                       - 0: Detect Proxy automatically

0x7B4 Proxy authentication process AuthScheme

Some samples may not inject processes.

**Appendix B: Data exchanged by TSCookie**

Table B-1: Format of sent data

Offset Length Contents

0x00 4 Number of received data (begins with 0xFFFFFFFF)

0x04 4 Length of data sent


-----

0x08 4 Times of communication

0x0C 4 Fixed value (Set to 0x5322 at the beginning, then to 0x5324 or 0x5325
while receiving modules)

0x1C 4 Random data (RC4 key)

0x20 - Random data after first communication (See Table B-2 for first
communication)

Up to offset 0x1C, the contents are RC4-encrypted with the key in the configuration
and random data.

Table B-2: Data format of first communication after offset 0x20

Offset Length Contents

0x00 4 0x9A65001E

0x04 4 Process ID

0x08 4 0x5322

0x0C 4 Random data

0x10 4 Data size from offset 0x14

0x14 - Random data (RC4 key)

Up to offset 0x14, the contents are RC4-encrypted with the key in the configuration and
random data.

Table B-3: Format of received data

Offset Length Contents

0x00 4 Number of received data

0x04 4 Length of received data

0x0C 4 
0x10 4 Whether the contents from offset 0x20 is encrypted

0x1C 4 RC4 key

0x20 - Module data


-----

Up to 0x1C, the contents are RC4-encrypted with the key contained in the configuration
and another key in the received data.

**Appendix C: SHA-256 value of the samples**

TSCookie Loader

072f24d2691fb3930628be91bc46cefb8bc3364d1d09d72ab0cb3863681cb107
f49956f498042feb237c3e898f74a8e14500c27cda2746efca2d973a5390baa8
3e12938df72380e4ae7a2dcb3322e563de3da102f5f32b26a29662ba594e73d1
23ca1a3ca26ada00502bbd1abf4d42302343dafba32cbc0711847d52884ff8e1
6ec56de53ef1ea66c81b3e48f9a9b3cf3dc8e3ebda1ec08bf95cc21228a4c7b3
bd89b972de19c8ab2be0fb3e2aa44638a95e465e4b52920c94e6f59c25ce4693
c5d7e5a12c8eab9c14f008c93d92e0070f84f358d39f28ac089ee917c652f5a8
85536a139b9d44157aea2908a6a6e53e4ac19077355680b69edd8e84c70254bc
0d00d12d71dd080d2861e9da89906a67bb822c64366b4c6b72a55bb8c26a4ea3
81dfce847a9fd6a3a0080a927bbb740709bdcc099bfe1b0cfc99958f6ddeb52f
48fdc29e7f47e5d38c88a89667ed85740628bf4f4ce95045019f7ebfeb4bbb5c
d5909d06ddb394dea114052e9e174fa1e88324d805d153edb6076c53842fd2f2
9e10a1abbff4d421eaee20040fb2a9270c4efb6d75ee6cd728b09bac1042bfa6
ae5528cc802c81946f2787c7e884656416acebc89466989eeca9379fa066ad96
69b07aae04af6ca57d6066fdcbfeeb4c4849bfd2cd65b01c1e576f45b1c24d79
784b331d30d46ee9e7a264ecb45e3a39d7cef135d189bf0e712e89935728c13f
0eb9947a1ef4b810517f6cba175a321c4d69c3058d688bdd73492d54e7932c86

[Email](http://10.10.0.46/mailto:?subject=Malware%20Used%20by%20BlackTech%20after%20Network%20Intrusion&body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2019%2F09%2Ftscookie-loader.html)

Author

朝長 [秀誠 (Shusei Tomonaga)](https://blogs.jpcert.or.jp/en/shu_tom/)

Since December 2012, he has been engaged in malware analysis and forensics
investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to
joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a
foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal,
Botconf, PacSec and FIRST Conference. JSAC organizer.

Was this page helpful?

0 people found this content helpful.


-----

If you wish to make comments or ask questions, please use this form.

This form is for comments and inquiries. For any questions regarding specific commercial
products, please contact the vendor.

please change the setting of your browser to set JavaScript valid. Thank you!

## Related articles

Analysis of HUI Loader

Anti-UPX Unpacking Technique

FAQ: Malware that Targets Mobile Devices and How to Protect Them


-----

Malware WinDealer used by LuoYu Attack Group

Malware Gh0stTimes Used by BlackTech


[Back](https://blogs.jpcert.or.jp/en/2019/08/malconfscan-with-cuckoo.html)
[Top](https://blogs.jpcert.or.jp/en/)
[Next](https://blogs.jpcert.or.jp/en/2019/10/apcert2019.html)


-----