QSC: A multi-plugin framework used by CloudComputating group in cyberespionage campaigns

Introduction

In 2021, we began to investigate an attack on the telecom industry in South Asia. During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory. The framework includes a Loader, a Core module, a Network module, a Command Shell module and a File Manager module. It is dropped either as a standalone executable or as a payload file along with a loader DLL. In this post, we describe each component of the framework as well as its recent activity including a deployment scenario, an additional backdoor, post-compromise activity and a link to the CloudComputating group.

QSC framework components

The Loader

The Loader implant is a service DLL with the internal name

loader.dll. It contains the string “E:project estqtinmoduleloaderx64
eleaseloader.pdb” as its PDB path. The Loader is configured to either read code from <systemdir>driversmsnet or read 0x100 (256) bytes from n_600s.sys, located in the same directory as the module, to get the file path containing code. If it reads the file path from n_600s.sys, it deletes the file afterwards. The Loader then reads and decompresses code from the provided file path. It reflectively injects the decompressed code into memory and calls the exported method plugin_working. The code injected by the Loader is the Core module, which is described below.

The Core and Network modules

The Core module has an internal name,

qscmdll.dll, and exports only one method, named plugin_working. It contains the string “E:project estqtinmoduleqscmdllx64
eleaseqscmdll.pdb” as its PDB path. The Loader module passes the file path that contains the compressed Network module code as one of the parameters to the Core mod ..

Support the originator by clicking the read the rest link below.