GoClient

The Command Shell module launches % windir % \ system32 \ cmd . exe as a shell using the CreateProcess API, and data is written to and read from the shell using pipes.

dc191340 Close the connection, delete its own module file and terminate its own process.

systeminfo ipconfig / all netstat - ano - p tcp

ping 172.19.19.1 - n 1 ping 172.19.19.2 - n 1 tracert 172.19.19.2 netstat - ano ping - a 172.17.104.102 - n 1

Send target information (e.g. computer name, user name, OS version, etc.)

0x0A20010 If the sub-command is < root > , then get the logical drive letters and types in the system. Otherwise, send a list of files and folders at a specified path.

The domain controller was queried to view the list of users within the groups “domain controllers” and “domain computers” ... Next, the actor tried to list the users under the group “domain admins”

0x0A20012 Read the file and send it to the C2.

26c108d6 Create a screenshot of the machine and save on a file named cap . png .

c : \ inetpub \ temp \ rar . exe a c : \ inetpub \ temp \ s . rar c : \ inetpub \ temp \ * . dat

the C2 in the configuration data contained an internal/proxy IP address, which suggested that the attackers were already aware of the target network topology.

In addition to the QSC framework, the attackers also deployed a new backdoor written in Golang, which we have named “GoClient”.