The China-sponsored Evasive Panda hacking group has recently introduced CloudScout, a sophisticated toolset that enables the retrieval of data from various cloud services through the use of stolen web session cookies. This revelation was made by researchers at ESET, who came across CloudScout while investigating two previous breaches in Taiwan involving a religious institution and a government entity.
CloudScout is coded in .NET and is specifically designed to seamlessly integrate with MgBot, Evasive Panda’s unique malware framework. Through a plugin system, MgBot feeds CloudScout with stolen cookies, allowing it to access and extract data from the cloud by using the pass-the-cookie method to exploit authenticated browser sessions.
Researchers from ESET noted that individual CloudScout modules were observed targeting popular cloud platforms such as Google Drive, Gmail, and Outlook. They believe that Evasive Panda has developed modules for attacks on at least 10 different cloud applications. These modules are crafted to breach public cloud services by exploiting authenticated web sessions, as detailed in ESET’s analysis released on Oct. 28. By stealing cookies from a web browser database, CloudScout bypasses authentication measures like two-factor authentication (2FA) and IP tracking.
Following successful authentication, CloudScout modules execute a set of hardcoded web requests and utilize intricate HTML parsers to identify and extract desired information from web responses, such as email folders and messages. The collected data is then compressed into a .zip file for exfiltration either by MgBot or another custom backdoor known as Nightdoor.
Evasive Panda, also known as Bronze Highland, Daggerfly, or StormBamboo, is a sophisticated advanced persistent threat (APT) group that has been operating since at least 2012. The group primarily focuses on cyber espionage against civil society entities like independence movements in the Tibetan diaspora, religious and academic institutions in Taiwan and Hong Kong, supporters of democracy in China, as well as targets in Vietnam, Myanmar, South Korea, and Nigeria.
Known for constantly evolving its cyberattack tactics, Evasive Panda’s latest exploit showcases a high level of sophistication, according to ESET researchers. The professional design of the CloudScout framework underscores the technical prowess of Evasive Panda and highlights the crucial role that cloud-stored documents, user profiles, and emails play in its espionage activities.
In conclusion, the emergence of CloudScout as a post-compromise toolset underlines the evolving capabilities of Evasive Panda and the increasing significance of cloud services as targets for cyber espionage. As threat actors continue to refine their techniques, organizations must remain vigilant and prioritize robust cybersecurity measures to protect their sensitive data stored in the cloud.