QSC Malware Framework: New Tool in CloudComputating Group’s Cyberespionage Arsenal
Kaspersky Labs has unveiled an advanced malware framework, QSC, reportedly deployed by the CloudComputating group (also known as BackdoorDiplomacy). This sophisticated tool is built with a modular, plugin-based architecture that enables adaptation within targeted networks, particularly in the telecommunications sector across South and West Asia.
The QSC framework comprises several critical components, including a Loader, Core module, Network module, Command Shell, and File Manager. This structure allows attackers to load only the essential modules into memory, leaving minimal traces on disk. Kaspersky’s report details that the Core module, qscmdll.dll, collaborates with the Network module, using “the MbedTLS library for encrypted communication,” which adds a layer of stealth and resilience to the framework’s command-and-control (C2) operations.
Kaspersky’s investigation tracked QSC deployments within telecom networks through the Quarian backdoor (Turian), which established initial access before loading the QSC framework. In October 2023, this setup expanded with the addition of the GoClient backdoor, a newer tool coded in Golang, enabling CloudComputating to maintain robust, encrypted connections. The report explains, “The GoClient backdoor file communicates with the C2… sending system data in JSON format after encryption with an RC4 key.”
CloudComputating’s choice of a modular approach with QSC signifies a strategic shift. The report emphasizes, “The usage of the QSC framework suggests a strategic change in their toolkit, serving as a secondary means to maintain access within compromised networks.” This flexibility allows the group to load various modules on demand, depending on the target’s specific defenses.
Kaspersky’s findings indicate a calculated pivot by CloudComputating towards more dynamic, hard-to-detect tools. The report urges continuous vigilance, noting that the group’s activity points to “a significant shift in the tactics,” one that underscores their adaptability and poses a persistent threat to telecom infrastructure and potentially other sectors.
