TSCookieRAT

TSCookieRAT is a remote access threat that was leveraged against Japanese targets by the hacker group carrying the designation BlackTech. The threatening operation used bait emails to trick the targeted users into clicking a URL leading to the threat. It should be noted that TSCookieRAT also was tracked under the PLEAD name initially but later analysis has revealed certain distinctions between the two.

The lure emails employed in the campaign purported to be coming from the Ministry of Education, Culture, Sports, Science and Technology of Japan. The URL provided in the emails downloads an encrypted DLL file that contains the loader component of the TSCookieRAT. The DLL file is then loaded and executed on memory. The harmful functionalities of the threat are then expanded in the later stages of the attack by fetching and executing additional modules from the Command-and-Control (C2, C&C) server of the campaign. All late-stage components are also run on memory.

When TSCookieRAT is ready to begin its threatening operation, it sends an HTTP GET request to the C&C and then waits for incoming commands. The threat allows the con actor to establish a significant level of control over the infected system. The hackers can execute arbitrary shell commands, exfiltrate data including drive and system information, manipulate the file system, and harvest sensitive information, such as passwords from the most popular Web browsers - Chrome, Firefox, Edge, Internet Explorer and the Outlook email client. Results collected in response to the received commands are then uploaded in the same format as the first HTTP POST request.

The BlackTech attack campaigns against Japanese targets may continue and could involve different malware threats, so organizations should keep their cybersecurity at a satisfactory level and implement any software security patches in due time.