Thursday, April 3, 2025
HomeBackdoorQSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

Published on

SIEM as a Service

Follow Us on Google News

The QSC Loader service DLL named “loader.dll” leverages two distinct methods to obtain the path to the Core module code.

It either extracts the path from the system directory “drivers\msnet” or reads and deletes a 256-byte path string from the file “n_600s.sys” within its own directory. 

Subsequently, the Loader reads and decompresses the code from the specified path. Through reflective loading, it injects this decompressed code into memory and executes the exported function “plugin_working” within the injected Core module.

The Core module dynamically loads and injects the Network module, responsible for C2 communication using MbedTLS and leverages configuration data, including potentially sensitive internal/proxy IP addresses, to establish connections. 

Specifically, it communicates with the File Manager module, which is responsible for providing functionalities such as browsing the file system, reading, writing, deleting, and moving files. 

Both modules operate within the context of the Core module, which manages their loading, initialization, and execution, including handling C2 commands for data exfiltration and module updates. 

The QSC framework, discovered in 2021, was recently observed deployed by the CloudComputating threat actor targeting an ISP in West Asia that leveraged pre-existing access established through the Turian backdoor since 2022. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

It employs a Command Shell module (qscShell.dll) that interacts with a spawned cmd.exe process via pipes and processes commands, including file manipulation (.put, .get) and timestamp changes (.ctm), and executes them within the shell environment. 

The attackers also deployed a new Golang-based backdoor, GoClient, alongside the QSC framework, starting on October 17, 2023.

They used the Quarian backdoor to deploy the QSC framework and the GoClient backdoor, where the QSC framework was used to create services to launch the QSC framework loader DLLs. 

While the GoClient backdoor was used to execute commands including collecting system information, disabling UAC remote restrictions, and compressing harvested data. 

The attacker also used the QSC framework to discover domain controllers and other machines on the network.

After gaining access to the domain controller, the attacker used a tool called we.exe to perform pass-the-hash attacks to remotely execute commands and enumerate users. 

Threat Attribution Engine analysis
Threat Attribution Engine analysis

Then they used WMIC to execute commands on the domain controller to obtain network configuration, create a shadow copy of the C: drive, steal the NTDS database, and store the collected information on the domain controller.  

According to the Secure List, a lateral movement within the victim network was accomplished by the CloudComputing group through the utilization of the QSC framework. 

Attackers utilized WMIC with stolen domain admin credentials to execute QSC framework components on multiple machines and communicated with a C2 server through internal pivot machines. 

The group employed a custom tool, “pf.exe,” to forward traffic between internal and external C2 servers.

The presence of the Quarian backdoor, known to be used by CloudComputating, along with specific tools like TailorScan and StowProxy, further strengthens the attribution to this group.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Cisco AnyConnect VPN Server Vulnerability Allows Attackers to Trigger DoS

Cisco has disclosed a significant vulnerability in its AnyConnect VPN Server for Meraki MX and Z...

New Trinda Malware Targets Android Devices by Replacing Phone Numbers During Calls

Kaspersky Lab has uncovered a new version of the Triada Trojan, a sophisticated malware...

DarkCloud Stealer Uses Weaponized .TAR Archives to Target Organizations and Steal Passwords

A recent cyberattack campaign leveraging the DarkCloud stealer has been identified, targeting Spanish companies...

SonicWall Firewall Vulnerability Enables Unauthorized Access

Researchers from Bishop Fox have successfully exploited CVE-2024-53704, an authentication bypass vulnerability that affects SonicWall...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Cisco AnyConnect VPN Server Vulnerability Allows Attackers to Trigger DoS

Cisco has disclosed a significant vulnerability in its AnyConnect VPN Server for Meraki MX and Z...

New Trinda Malware Targets Android Devices by Replacing Phone Numbers During Calls

Kaspersky Lab has uncovered a new version of the Triada Trojan, a sophisticated malware...

DarkCloud Stealer Uses Weaponized .TAR Archives to Target Organizations and Steal Passwords

A recent cyberattack campaign leveraging the DarkCloud stealer has been identified, targeting Spanish companies...