Malware

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named “loader.dll” leverages two distinct methods to obtain the path to the Core module code.

It either extracts the path from the system directory “drivers\msnet” or reads and deletes a 256-byte path string from the file “n_600s.sys” within its own directory. 

Subsequently, the Loader reads and decompresses the code from the specified path. Through reflective loading, it injects this decompressed code into memory and executes the exported function “plugin_working” within the injected Core module.

The Core module dynamically loads and injects the Network module, responsible for C2 communication using MbedTLS and leverages configuration data, including potentially sensitive internal/proxy IP addresses, to establish connections. 

Specifically, it communicates with the File Manager module, which is responsible for providing functionalities such as browsing the file system, reading, writing, deleting, and moving files. 

Both modules operate within the context of the Core module, which manages their loading, initialization, and execution, including handling C2 commands for data exfiltration and module updates. 

The QSC framework, discovered in 2021, was recently observed deployed by the CloudComputating threat actor targeting an ISP in West Asia that leveraged pre-existing access established through the Turian backdoor since 2022. 

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

It employs a Command Shell module (qscShell.dll) that interacts with a spawned cmd.exe process via pipes and processes commands, including file manipulation (.put, .get) and timestamp changes (.ctm), and executes them within the shell environment. 

The attackers also deployed a new Golang-based backdoor, GoClient, alongside the QSC framework, starting on October 17, 2023.

They used the Quarian backdoor to deploy the QSC framework and the GoClient backdoor, where the QSC framework was used to create services to launch the QSC framework loader DLLs. 

While the GoClient backdoor was used to execute commands including collecting system information, disabling UAC remote restrictions, and compressing harvested data. 

The attacker also used the QSC framework to discover domain controllers and other machines on the network.

After gaining access to the domain controller, the attacker used a tool called we.exe to perform pass-the-hash attacks to remotely execute commands and enumerate users. 

Threat Attribution Engine analysis

Then they used WMIC to execute commands on the domain controller to obtain network configuration, create a shadow copy of the C: drive, steal the NTDS database, and store the collected information on the domain controller.  

According to the Secure List, a lateral movement within the victim network was accomplished by the CloudComputing group through the utilization of the QSC framework. 

Attackers utilized WMIC with stolen domain admin credentials to execute QSC framework components on multiple machines and communicated with a C2 server through internal pivot machines. 

The group employed a custom tool, “pf.exe,” to forward traffic between internal and external C2 servers.

The presence of the Quarian backdoor, known to be used by CloudComputating, along with specific tools like TailorScan and StowProxy, further strengthens the attribution to this group.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Exploit Critical NodeJS Vulnerabilities to Hijack Jenkins Agents for RCE

Security researchers have identified critical vulnerabilities in the Node.js CI/CD infrastructure, exposing internal Jenkins agents…

10 minutes ago

New MCP-Based Attack Techniques and Their Application in Building Advanced Security Tools

MCP, developed by Anthropic, allows Large Language Models (LLMs) to interface seamlessly with external tools,…

30 minutes ago

Cyberattack Targets Iconic UK Retailer Harrods

Luxury department store Harrods has become the latest UK retailer to face a cyberattack, joining…

60 minutes ago

Nebulous Mantis hackers have Deployed the RomCom RAT globally, Targeting organizations.

Nebulous Mantis, also known as Cuba, STORM-0978, Tropical Scorpius, and UNC2596, is a Russian-speaking cyber…

1 hour ago

Why CISOs Are Adopting DevSecOps for Secure Software Development

CISOs adopting DevSecOps strategically enhance security measures while ensuring fast-paced software development, responding to the…

1 hour ago

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series of…

11 hours ago