The China-sponsored hacking group Evasive Panda has introduced CloudScout, a sophisticated toolset designed for post-compromise intrusions. This toolset targets cloud applications such as Microsoft Outlook and Google Drive to extract sensitive information by leveraging stolen web session cookies. ESET researchers discovered CloudScout while investigating breaches in Taiwan that affected a religious institution and a government entity.
CloudScout, written in .NET, integrates with MgBot, Evasive Panda’s proprietary malware framework. MgBot supplies CloudScout with stolen cookies, enabling it to hijack authenticated sessions using the pass-the-cookie technique to avoid security measures like two-factor authentication and IP tracking. ESET observed that CloudScout has modules targeting multiple cloud services, including Google Drive, Gmail, and Outlook.
CloudScout leverages stolen cookies
These modules initiate specific web requests to manipulate authenticated sessions, thereby facilitating access to cloud data. The harvested data is compressed into a .zip archive, which is then exfiltrated via MgBot or another backdoor tool called Nightdoor.
Evasive Panda, also known as Bronze Highland, Daggerfly, or StormBamboo, is an advanced persistent threat (APT) group that has been active since at least 2012. It primarily focuses on cyber espionage against civil society targets, such as Tibetan independence movements, democracy supporters in Hong Kong, and activists in China. The group’s activities have also extended to nations like Vietnam, Myanmar, South Korea, and even a few targets in Nigeria.
According to ESET researchers, the CloudScout framework showcases Evasive Panda’s advanced technical capabilities and the critical role that cloud-stored documents and emails play in its espionage operations.