Man
Professional
- Messages
- 2,956
- Reaction score
- 477
- Points
- 83
An invisible threat has been lurking in the memory of South Asian telecom networks for years.
In 2021, Kaspersky Lab specialists began investigating a large-scale attack on the telecommunications industry in South Asia, which led to the discovery of a malicious QSC framework. This framework is a feature-rich, modular platform where each component performs separate tasks and is stored exclusively in RAM, making it difficult to detect.
QSC framework structure and its modules
The basis of QSC is a loader module that runs as a DLL service and contains links to internal development directories that indicate a connection with the CloudComputing cybergroup. This loader loads and decompresses the code, which is then injected into memory and activates the central Core module that controls the framework.
The Core and Network modules provide interoperability with C2 servers. The kernel transmits compressed code and configuration parameters to the network module, allowing it to establish an encrypted TLS connection to the management servers. The configuration can include data such as proxy settings, credentials, and communication schedules, allowing attackers to take into account the target's network architecture.
The command shell and file manager of the framework provide access to the file system and allow commands to be executed on the victim's system. The file manager supports commands that allow attackers to view the contents of directories, transfer files, change file attributes, and manage timestamps. The shell allows commands to be run through processes such as , and allows remote control of the target system.
Contacting the CloudComputating Group
Kaspersky Lab experts have established that the detected malicious QSC framework may be associated with the activities of the CloudComputing hacker group, also known as BackdoorDiplomacy and Faking Dragon. This group has already carried out attacks on strategically important industries in different countries, and the latest detected activities indicate their interest in the telecommunications sector.
Experts drew attention to the unique IP addresses and internal proxy servers used by the attackers to control the infected systems, which indicates a deep understanding of the network of the attacked organization. Proxy servers allow you to hide C&C servers and make it difficult to identify the source of attacks.
Additional backdoors and advanced QSC capabilities
In October 2023, Kaspersky Lab recorded the introduction of a new GoClient backdoor, developed in the Go language and using RC4 encryption to mask data. Unlike QSC, GoClient is designed to collect system data such as IP addresses, hostnames, and hardware information. This data is collected in JSON format, encrypted, and transmitted to a command and control server, allowing attackers to maintain a covert presence on the network.
The study showed that GoClient, like the previously discovered Quarian (Turian) backdoor, is used for long-term control over the victim's networks. This backdoor was downloaded via QSC and helped the attackers execute commands on the infected devices, such as transferring files, taking screenshots, and modifying the file structure. It is likely that CloudComputating aims to ensure a long-term presence on victims' networks by using QSC as the main management tool and GoClient for supporting tasks.
QSC functions and vulnerability exploitation methods
QSC demonstrates a high level of technological competence of the creators, allowing them to flexibly manage attacks through centralized C2 servers and adapt command parameters depending on the structure of the victim's network. According to Kaspersky Lab, QSC supports the following commands:
An important feature is the ability of the File Manager module to interact with the file system, which allows attackers to obtain complete lists of folders and files, as well as information about timestamps and other attributes. This makes it possible to study and use the victim's network infrastructure to further spread the attack.
Threat and Attack Prospects
The QSC framework, being an adaptive threat, highlights the growing sophistication of cyberattacks, especially against telecommunications companies, which are increasingly vulnerable to such sophisticated attacks. The modular architecture of QSC and the hidden operation in the system's memory allow attackers to remain undetected for a long time, which is especially dangerous in the case of telecommunications companies, where attackers can gain access to a significant amount of data and control systems.
Experts believe that the proliferation of the QSC framework and the active use of backdoors such as Quarian and GoClient points to a new strategy of the CloudComputing group, which focuses on a long-term and covert presence in victims' networks. The use of proxy servers and secure channels makes it difficult to detect attacks, and the tactics used indicate the high skill of the attackers and their strategic approach.
Conclusions and recommendations
Kaspersky Lab recommends telecommunications companies to strengthen network security, taking into account the features of the QSC framework. Important measures are activity monitoring, network traffic analysis and regular updates of security software, as well as training employees in the basics of cybersecurity.
The use of advanced frameworks such as QSC requires organizations to be prepared to respond to incidents and create a comprehensive cybersecurity strategy aimed at minimizing risks and preventing data breaches.
Source
In 2021, Kaspersky Lab specialists began investigating a large-scale attack on the telecommunications industry in South Asia, which led to the discovery of a malicious QSC framework. This framework is a feature-rich, modular platform where each component performs separate tasks and is stored exclusively in RAM, making it difficult to detect.
QSC framework structure and its modules
The basis of QSC is a loader module that runs as a DLL service and contains links to internal development directories that indicate a connection with the CloudComputing cybergroup. This loader loads and decompresses the code, which is then injected into memory and activates the central Core module that controls the framework.
The Core and Network modules provide interoperability with C2 servers. The kernel transmits compressed code and configuration parameters to the network module, allowing it to establish an encrypted TLS connection to the management servers. The configuration can include data such as proxy settings, credentials, and communication schedules, allowing attackers to take into account the target's network architecture.
The command shell and file manager of the framework provide access to the file system and allow commands to be executed on the victim's system. The file manager supports commands that allow attackers to view the contents of directories, transfer files, change file attributes, and manage timestamps. The shell allows commands to be run through processes such as , and allows remote control of the target system.
Code:
cmd.exeContacting the CloudComputating Group
Kaspersky Lab experts have established that the detected malicious QSC framework may be associated with the activities of the CloudComputing hacker group, also known as BackdoorDiplomacy and Faking Dragon. This group has already carried out attacks on strategically important industries in different countries, and the latest detected activities indicate their interest in the telecommunications sector.
Experts drew attention to the unique IP addresses and internal proxy servers used by the attackers to control the infected systems, which indicates a deep understanding of the network of the attacked organization. Proxy servers allow you to hide C&C servers and make it difficult to identify the source of attacks.
Additional backdoors and advanced QSC capabilities
In October 2023, Kaspersky Lab recorded the introduction of a new GoClient backdoor, developed in the Go language and using RC4 encryption to mask data. Unlike QSC, GoClient is designed to collect system data such as IP addresses, hostnames, and hardware information. This data is collected in JSON format, encrypted, and transmitted to a command and control server, allowing attackers to maintain a covert presence on the network.
The study showed that GoClient, like the previously discovered Quarian (Turian) backdoor, is used for long-term control over the victim's networks. This backdoor was downloaded via QSC and helped the attackers execute commands on the infected devices, such as transferring files, taking screenshots, and modifying the file structure. It is likely that CloudComputating aims to ensure a long-term presence on victims' networks by using QSC as the main management tool and GoClient for supporting tasks.
QSC functions and vulnerability exploitation methods
QSC demonstrates a high level of technological competence of the creators, allowing them to flexibly manage attacks through centralized C2 servers and adapt command parameters depending on the structure of the victim's network. According to Kaspersky Lab, QSC supports the following commands:
- transfer of information about the system, such as computer name, OS version;
- execution of commands through a remote shell;
- sending activity signals to maintain communication with the server;
- Manage files on the victim's device, including deleting them, moving them, and modifying attributes.
An important feature is the ability of the File Manager module to interact with the file system, which allows attackers to obtain complete lists of folders and files, as well as information about timestamps and other attributes. This makes it possible to study and use the victim's network infrastructure to further spread the attack.
Threat and Attack Prospects
The QSC framework, being an adaptive threat, highlights the growing sophistication of cyberattacks, especially against telecommunications companies, which are increasingly vulnerable to such sophisticated attacks. The modular architecture of QSC and the hidden operation in the system's memory allow attackers to remain undetected for a long time, which is especially dangerous in the case of telecommunications companies, where attackers can gain access to a significant amount of data and control systems.
Experts believe that the proliferation of the QSC framework and the active use of backdoors such as Quarian and GoClient points to a new strategy of the CloudComputing group, which focuses on a long-term and covert presence in victims' networks. The use of proxy servers and secure channels makes it difficult to detect attacks, and the tactics used indicate the high skill of the attackers and their strategic approach.
Conclusions and recommendations
Kaspersky Lab recommends telecommunications companies to strengthen network security, taking into account the features of the QSC framework. Important measures are activity monitoring, network traffic analysis and regular updates of security software, as well as training employees in the basics of cybersecurity.
The use of advanced frameworks such as QSC requires organizations to be prepared to respond to incidents and create a comprehensive cybersecurity strategy aimed at minimizing risks and preventing data breaches.
Source
