Keypoints
- QSC is a modular, multi-plugin framework discovered during a 2021 telecom-sector investigation.
- The framework’s components include a Loader (service DLL), an in-memory Core, a Network module (TLS via MbedTLS), a Command Shell module, and a File Manager module.
- Loader reflectively injects decompressed Core/Network modules into memory and calls an exported plugin entry (plugin_working).
- Deployment in 2023 used the Quarian (Turian) backdoor to copy files, create services, and execute batch scripts that register Loader DLLs as service DLLs.
- A GoClient Golang backdoor was deployed alongside QSC in October 2023; GoClient performs a base64/RC4 challenge handshake and executes C2-issued commands.
- Activity was linked to CloudComputating and included lateral movement via WMIC/Pass-the-Hash, port-forwarding pivot tools, and C2 chaining through internal proxy/pivot hosts.
MITRE Techniques
- [T1071] Command and Control – QSC/GoClient communicate with C2 over TLS and configured C2 addresses; quote: ‘The Network module uses TLS implementation from the MbedTLS library.’
- [T1003] Credential Dumping – Attackers executed numerous system and account enumeration commands to harvest credentials and system data; quote: ‘the attackers are primarily interested in collecting system information.’
- [T1105] Ingress Tool Transfer / Remote File Copy – Quarian backdoor copied binaries and payloads onto targets to deploy QSC and support tools; quote: ‘Quarian backdoor was used to copy c:windowssystem32cmd.exe to c:windowstask.exe and launch the command shell.’
- [T1055] Process Injection – The Loader reflectively injects decompressed module code into memory and executes it; quote: ‘reflectively injects the decompressed code into memory and calls the exported method “plugin_working”.’
- [T1035] Service Execution – Adversaries created or modified Windows services to host and launch the loader DLLs for persistent execution; quote: ‘a service is created to launch the QSC framework loader DLL swprr.dll.’
Indicators of Compromise
- [File hash] QSC / related payloads – e.g., d99d97bb78929023d77d080da1b10f42, 7a5a354b4ee40d694d7935f5061fbd06, and many other MD5 hashes (dozens listed).
- [File hash] GoClient backdoor – e.g., 5eba7f8a9323c2d9ceac9a0f91fad02f, 9da4b88a6b80db85c102ce8c841f0a5c.
- [File path] Drop / persistence paths – e.g., C:ProgramDataUSOSharedmsvcen.exe (QSC), C:ProgramDataUSOSharedintop64.exe (GoClient), and other paths under C:ProgramData and C:WindowsL2Schemas.
- [Domain] C2 / infrastructure – e.g., proxy.oracleapps[.]org (linked to Quarian), www.numupdate[.]com, and several other domains.
- [IP address] C2 / pivot servers – e.g., 108.61.206[.]206, 40.113.110[.]67 (observed for C2/pivot forwarding).
- [File name / service DLL] Loader/service artifacts – e.g., swprr.dll, rasautosvc.dll used as ServiceDll values to launch the QSC loader.
The technical deployment sequence began with an initial Quarian (Turian) backdoor foothold, which the operator used to copy and execute binaries and run batch scripts that register malicious service DLLs. The loader is a service DLL (e.g., swprr.dll / rasautosvc.dll) that either reads a file path from a driver file (n_600s.sys) or from a system drivers location, deletes the helper file if used, then reads and decompresses code and reflectively injects the Core module into memory by calling the exported entry plugin_working.
The Core module receives a compressed Network module path, decompresses and injects that module, then initializes it via setConfig, checkTarget, and getNetWork; the Network module implements TLS (MbedTLS) and takes C2 configuration parameters (C2 IP, port, sleep time, internal/proxy IP, proxy credentials). The Core supports remote commands to enumerate host info (0x1E0001), load modules into memory (.Command Shell 0x1E0002, File Manager 0x1E0003), update code paths (0x1E0007 writes 0x100 bytes to n_600s.sys), and heartbeat (0x1E0004 every 2 minutes). The Command Shell spawns cmd.exe and proxies input/output via pipes, supporting custom commands (.put, .get, .ctm) that interface with the File Manager’s startTransmit/startBrowse functionality to read/write and manipulate files.
Separately, the GoClient backdoor (Golang) implements a base64-encoded challenge handshake using a hardcoded key and receives a 16-byte RC4 key from C2; it sends encrypted system info and accepts base64/RC4-encrypted command lists for file operations, command execution (including spawning cmd.exe), screenshot capture, self-deletion, and file transfer. Operators escalated and moved laterally using WMIC and pass-the-hash tools (we.exe / wm.exe), executed port-forwarding/pivot binaries (pf.exe) on internal hosts to channel C2 traffic (examples: listen on 127.0.0.1:80/8080 and forward to 108.61.206[.]206:8080), and used WMIC to deploy the QSC loader or update.exe on remote machines for persistent, in-memory plugin execution.
Read more: https://securelist.com/cloudcomputating-qsc-framework/114438/