The deployment of a new C# framework called CloudScout by the Evasive Panda group has raised concerns in early 2023 as it targeted a Taiwanese government entity. This malicious tool is equipped with three modules namely CGM, CGN, and COL, which allow it to hijack web sessions and gain access to cloud services such as Google Drive, Gmail, and Outlook by stealing cookies from a victim’s browser.
CloudScout’s ability to bypass 2FA and IP tracking by retrieving data directly from cloud storage has sparked alarm among cybersecurity experts. However, recent security measures like Device Bound Session Credentials and App-Bound Encryption have been identified as potential counters to mitigate the effectiveness of this technique.
This isn’t the first time CloudScout has been used in cyberattacks targeting Taiwan. In 2022, it was utilized in an attack against a religious institution’s network through the MgBot botnet. In 2023, it resurfaced in a suspected government entity’s systems alongside the Nightdoor implant, indicating a deliberate and targeted approach towards Taiwan.
The origin of the CloudScout .NET malware framework can be traced back to around 2020 when the Evasive Panda group developed it to target various cloud services including Google Drive, Gmail, and Outlook. This modular framework comprises different modules with specific targets like Twitter and Facebook, while the core component, the CommonUtilities library, has undergone multiple updates over time.
Attackers strategically select and deploy specific modules based on their intended targets, showcasing a calculated approach towards their cyber operations. The emergence of CloudScout alongside Nightdoor and a new variant of the MgBot botnet in 2020 demonstrates the active toolkit development of the Evasive Panda group.
The deployment of the CGM module through the Gmck C++ plugin allows attackers to extract browser cookies from compromised systems and create configuration files encrypted with the same RC4 key. These files are then used by CGM to access victim accounts and download sensitive information such as emails and personal data.
The configuration files generated by the MgBot plugin play a crucial role in initiating data collection cycles in the CloudScout framework. These JSON-format files contain cookie information and settings for data download, staging, and exfiltration, enabling attackers to steal valuable information from compromised accounts.
According to researchers at ESET, the CommonUtilities component of CloudScout provides essential libraries for HTTP communication and cookie management, enhancing the framework’s capabilities for data extraction. Additionally, the HTTPAccess library allows for modification of HTTP headers, while the ManagedCookie library facilitates cookie parsing and integration into HTTP requests using custom regex patterns.
CloudScout modules follow a common design pattern, with each module specializing in authentication and data retrieval for a specific cloud service by leveraging stolen cookies. Upon completion of the authentication process, modules simulate a web browser to retrieve desired data such as emails and files, which are then encrypted, compressed, and exfiltrated. The modules are designed to clean up after each cycle and await new configurations to initiate subsequent data collection processes.
In conclusion, the deployment of the CloudScout framework by the Evasive Panda group highlights the evolving sophistication of cyber threats targeting cloud services and underscores the importance of robust cybersecurity measures to safeguard against such malicious activities. Security experts continue to monitor and analyze these developments to enhance defense mechanisms and protect sensitive data from unauthorized access.