The QSC Loader service DLL known as “loader.dll” has been discovered to employ two different methods to acquire the path to the Core module code. It either retrieves the path from the system directory “drivers\msnet” or reads and deletes a 256-byte path string from the file “n_600s.sys” within its own directory. Following this process, the Loader proceeds to read and decompress the code from the specified path. Utilizing reflective loading, it then injects this decompressed code into memory and executes the exported function “plugin_working” within the injected Core module.
The Core module dynamically loads and injects the Network module, which is responsible for C2 communication using MbedTLS. It also utilizes configuration data, potentially containing sensitive internal/proxy IP addresses, to establish connections. Specifically, the Network module communicates with the File Manager module, which offers functionalities such as browsing the file system, reading, writing, deleting, and moving files. These modules operate within the context of the Core module, with the Core module managing their loading, initialization, and execution, including handling C2 commands for data exfiltration and module updates.
The QSC framework, uncovered in 2021, was recently witnessed in action when deployed by the CloudComputating threat actor to target an ISP in West Asia. This attack leveraged pre-existing access gained through the Turian backdoor established since 2022. The attackers utilized a Command Shell module (qscShell.dll) to interact with a spawned cmd.exe process via pipes, executing commands like file manipulation, timestamp changes, and more within the shell environment. Additionally, they introduced a new Golang-based backdoor, GoClient, alongside the QSC framework on October 17, 2023.
The deployment of the Quarian backdoor enabled the attackers to set up services to launch the QSC framework loader DLLs, while the GoClient backdoor was used to execute commands such as collecting system information, disabling UAC remote restrictions, and compressing harvested data. The attackers also leveraged the QSC framework to identify domain controllers and other machines on the network. Subsequently, they utilized a tool called we.exe to carry out pass-the-hash attacks, remotely executing commands and enumerating users after gaining access to the domain controller.
Further actions by the attackers included using WMIC to execute commands on the domain controller, obtaining network configuration data, creating a shadow copy of the C: drive, stealing the NTDS database, and storing the collected information on the domain controller. According to Secure List, the CloudComputating group achieved lateral movement within the victim network by utilizing the QSC framework. They employed WMIC with stolen domain admin credentials to execute QSC framework components on multiple machines, communicating with a C2 server through internal pivot machines. The attackers also utilized a custom tool, “pf.exe,” for forwarding traffic between internal and external C2 servers.
The presence of the Quarian backdoor, alongside specific tools like TailorScan and StowProxy, further solidifies the attribution to the CloudComputating group. The group’s sophisticated tactics and tools highlight the need for enhanced cybersecurity measures to defend against such malicious activities. Stay informed and updated on the latest cybersecurity news by following us on Google News, LinkedIn, and X for instant updates.