Thursday, January 23, 2025
HomeBackdoorQSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

Published on

SIEM as a Service

Follow Us on Google News

The QSC Loader service DLL named “loader.dll” leverages two distinct methods to obtain the path to the Core module code.

It either extracts the path from the system directory “drivers\msnet” or reads and deletes a 256-byte path string from the file “n_600s.sys” within its own directory. 

Subsequently, the Loader reads and decompresses the code from the specified path. Through reflective loading, it injects this decompressed code into memory and executes the exported function “plugin_working” within the injected Core module.

The Core module dynamically loads and injects the Network module, responsible for C2 communication using MbedTLS and leverages configuration data, including potentially sensitive internal/proxy IP addresses, to establish connections. 

Specifically, it communicates with the File Manager module, which is responsible for providing functionalities such as browsing the file system, reading, writing, deleting, and moving files. 

Both modules operate within the context of the Core module, which manages their loading, initialization, and execution, including handling C2 commands for data exfiltration and module updates. 

The QSC framework, discovered in 2021, was recently observed deployed by the CloudComputating threat actor targeting an ISP in West Asia that leveraged pre-existing access established through the Turian backdoor since 2022. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

It employs a Command Shell module (qscShell.dll) that interacts with a spawned cmd.exe process via pipes and processes commands, including file manipulation (.put, .get) and timestamp changes (.ctm), and executes them within the shell environment. 

The attackers also deployed a new Golang-based backdoor, GoClient, alongside the QSC framework, starting on October 17, 2023.

They used the Quarian backdoor to deploy the QSC framework and the GoClient backdoor, where the QSC framework was used to create services to launch the QSC framework loader DLLs. 

While the GoClient backdoor was used to execute commands including collecting system information, disabling UAC remote restrictions, and compressing harvested data. 

The attacker also used the QSC framework to discover domain controllers and other machines on the network.

After gaining access to the domain controller, the attacker used a tool called we.exe to perform pass-the-hash attacks to remotely execute commands and enumerate users. 

Threat Attribution Engine analysis
Threat Attribution Engine analysis

Then they used WMIC to execute commands on the domain controller to obtain network configuration, create a shadow copy of the C: drive, steal the NTDS database, and store the collected information on the domain controller.  

According to the Secure List, a lateral movement within the victim network was accomplished by the CloudComputing group through the utilization of the QSC framework. 

Attackers utilized WMIC with stolen domain admin credentials to execute QSC framework components on multiple machines and communicated with a C2 server through internal pivot machines. 

The group employed a custom tool, “pf.exe,” to forward traffic between internal and external C2 servers.

The presence of the Quarian backdoor, known to be used by CloudComputating, along with specific tools like TailorScan and StowProxy, further strengthens the attribution to this group.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...