This turns the infected Linux systems into interconnected relay points capable of maintaining communication even when portions of the infrastructure are disrupted. This is another factor contributing to the difficulty of complete elimination.
The command and control (C2) operates a versatile command pack. “In total, QLNX registers 58 distinct commands, covering a broad range of post-compromise functionality, including file system manipulation, network tunneling, credential harvesting, and rootkit management,” the researchers said, detailing a complete list of registered commands and their corresponding handlers.
For network communication, QLNX supports raw TCP, HTTPS, and HTTP. “All three transports carry the same underlying binary command protocol,” Trend Micro wrote. “Both the TCP and HTTPS channels are secured using TLS, ensuring that command and data exchanges are encrypted during network communication.”
