MalwareUsed by 3 actors

QSC

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BackdoorDiplomacy

During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory.

via securelistsecurelist.com

CloudComputating

During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory.

via securelistsecurelist.com

Faking Dragon

During the investigation, we discovered QSC: a multi-plugin malware framework that loads and runs plugins (modules) in memory.

via securelistsecurelist.com

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques

T1059.003Windows Command ShellEvidence1

The Command Shell module launches % windir % \ system32 \ cmd . exe as a shell using the CreateProcess API, and data is written to and read from the shell using pipes.

T1569.002Service ExecutionEvidence1

net stop swprv ... sc config swprv start = auto ... net start swprv

T1574.011Services Registry Permissions WeaknessEvidence1

reg add HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ swprv \ Parameters / v ServiceDll / t REG_EXPAND_SZ / d c : \ windows \ system32 \ swprr . dll / f

Stealth

3 techniques

T1070.004File DeletionEvidence1

dc191340 Close the connection, delete its own module file and terminate its own process.

T1574.011Services Registry Permissions WeaknessEvidence1

reg add HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ swprv \ Parameters / v ServiceDll / t REG_EXPAND_SZ / d c : \ windows \ system32 \ swprr . dll / f

T1620Reflective Code LoadingEvidence1

The Loader then reads and decompresses code from the provided file path. It reflectively injects the decompressed code into memory and calls the exported method plugin_working.

Credential Access

1 technique

T1003.003NTDSEvidence1

wmic / node : < domain_controller_ip > / user : < user_name > / password : < user_password > process call create "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\NTDS\NTDS.dit $user\downloads"

Discovery

5 techniques

T1016System Network Configuration DiscoveryEvidence1

systeminfo ipconfig / all netstat - ano - p tcp

T1046Network Service DiscoveryEvidence1

ping 172.19.19.1 - n 1 ping 172.19.19.2 - n 1 tracert 172.19.19.2 netstat - ano ping - a 172.17.104.102 - n 1

T1082System Information DiscoveryEvidence1

Send target information (e.g. computer name, user name, OS version, etc.)

T1083File and Directory DiscoveryEvidence1

0x0A20010 If the sub-command is < root > , then get the logical drive letters and types in the system. Otherwise, send a list of files and folders at a specified path.

T1087.002Domain AccountEvidence1

The domain controller was queried to view the list of users within the groups “domain controllers” and “domain computers” ... Next, the actor tried to list the users under the group “domain admins”

Lateral Movement

2 techniques

T1021.003Distributed Component Object ModelEvidence1

By using WMIC and the stolen domain admin credentials, the attackers were able to execute the QSC framework on other machines within the affected network.

T1550.002Pass the HashEvidence1

we . exe - hashes aad3b435b51404eeaad3b435b51404ee : 621a23dd771b1eb39c954cd6828aee6c < user_name > @ < domain_controller_ip > "whoami"

Collection

1 technique

T1005Data from Local SystemEvidence1

0x0A20012 Read the file and send it to the C2.

Command and Control

2 techniques

T1090ProxyEvidence1

the C2 in the configuration data contained an internal/proxy IP address, which suggested that the attackers were already aware of the target network topology.

T1105Ingress Tool TransferEvidence1

In addition to the QSC framework, the attackers also deployed a new backdoor written in Golang, which we have named “GoClient”.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

securelistNews

May 13, 2021

QSC: new modular framework in CloudComputating campaigns | Securelist

A modular in-memory malware framework composed of Loader, Core, Network, Command Shell, and File Manager modules. It supports C2 communications over TLS, command execution via cmd.exe, file browsing and transfer, heartbeat signaling, and updating code paths for persistence and continued access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.