Sunday, November 24, 2024

Evasive Panda scouting cloud services

In this blogpost, we provide a technical analysis of CloudScout, a post-compromise toolset used by Evasive Panda to target a government entity and a religious organization in Taiwan from 2022 to 2023. The CloudScout toolset is capable of retrieving data from various cloud services by leveraging stolen web session cookies. Through a plugin, CloudScout works seamlessly with MgBot, Evasive Panda’s signature malware framework.

Key points of this blogpost:

  • The CloudScout toolset was detected in Taiwan, between 2022 and 2023, in the network of a religious institution and at a government entity.
  • CloudScout utilizes stolen cookies, provided by MgBot plugins, to access and exfiltrate data stored at various cloud services.
  • We analyzed three CloudScout modules, which aim to steal data from Google Drive, Gmail, and Outlook. We believe that at least seven additional modules exist.
  • Hardcoded fields in CloudScout’s web requests for stealing Outlook email messages suggest that the samples involved were crafted to target Taiwanese users.
  • Each CloudScout module, programmed in C#, is deployed by an MgBot plugin, programmed in C++.

Evasive Panda profile

Evasive Panda (also known as BRONZE HIGHLAND, Daggerfly, or StormBamboo) is a China-aligned APT group, operating since at least 2012. Evasive Panda’s objective is cyberespionage against countries and organizations opposing China’s interests through independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China. At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea.

Evasive Panda has accumulated an impressive list of attack vectors. We have seen its operators conduct sophisticated TTPs such as supply-chain and watering-hole attacks, and DNS hijacking; in addition, they have abused the latest CVEs affecting Microsoft Office, Confluence, and web server applications. The group also demonstrates a strong capability for malware development, which is showcased in its deep collection of multiplatform backdoors for Windows, macOS, and Android. For Windows, its most-used tools are MgBot (since 2012; a custom malware framework consisting of a main implant and eight currently known plugins as detailed in our WLS blogpost) and the more recently developed Nightdoor (described in another WLS blogpost; a feature-rich backdoor that utilizes public cloud services for C&C communications).

Overview

In early 2023, we detected Evasive Panda deploy three previously unknown .NET modules (internally named CGD, CGM, and COL) at a government entity in Taiwan. These modules are designed to access public cloud services such as Google Drive, Gmail, and Outlook by hijacking authenticated web sessions. This technique relies on stealing cookies from a web browser database, then using them in a specific set of web requests to gain access to cloud services. Unlike stolen credentials, which may be blocked by security features such as two-factor authentication (2FA) and IP tracking, stolen web session cookies allow the attacker to retrieve data stored in the cloud, right from the victim’s machine. In 2023, Google released the Device Bound Session Credentials (DBSC) project on GitHub and, in 2024, the App-Bound Encryption feature in the Chrome 127 update. These are protective measures against cookie-theft malware, such as CloudScout, and could potentially render this toolset obsolete.

Further code analysis of the three modules reveals an underlying development framework, codenamed CloudScout by its developers. In this blogpost, we provide a detailed analysis of this modular framework programmed in C#. To the best of our knowledge, the CloudScout toolset has not previously been documented publicly.

Victimology

According to ESET telemetry, CloudScout was observed in two incidents targeting Taiwan:

  • In May 2022, the network of a Taiwanese religious institution was compromised with MgBot and Nightdoor. In this incident, MgBot was used to install a plugin that deploys a CloudScout module.
  • In February 2023, CloudScout modules and the Nightdoor implant were detected at what we suspect is a Taiwanese government entity.

Furthermore, we found in some hardcoded HTTP requests the inclusion of Taipei Standard Time as the time zone and zh-CN as the language pack (as shown in Figure 1). Both suggest that these samples were crafted to target Taiwanese users.

Evasive Panda scouting cloud services
Figure 1. HTTP request from COL to Outlook Web Access

Technical analysis

CloudScout is a .NET malware framework consisting of multiple modules targeting different cloud services. The name CloudScout originated from the PDB paths of the modules obtained:

  • E:\project\git_new\MProjects\Code\CloudScout\GoogleDriver\CGD\obj\Debug\CGD.pdb
  • E:\project\git_new\MProjects\Code\CloudScout\Gmail\CGM\obj\Debug\CGM.pdb
  • E:\project\git_new\MProjects\Code\CloudScout\Outlook\COL\obj\Debug\COL.pdb

We also found mention of seven other modules in the framework (see the section CommonUtilities: The heart of CloudScout); at the time of writing, we have not yet observed them deployed on compromised machines, hinting that the attackers deploy them selectively. Altogether, the complete list of CloudScout modules is:

  • CGD
  • CGM
  • COL
  • CTW
  • CFB
  • GMQ
  • MEXC
  • CEXC
  • CZI
  • CNE

Based on the naming convention (e.g., the module targeting Google Drive is called CGD, the one targeting Gmail CGM, and the one targeting Outlook COL), we infer that CTW and CFB possibly target Twitter and Facebook. However, the purpose of other modules remains undetermined.

Development timing

The AssemblyCopyright field’s value, Copyright ©  2020, in the .NET manifest of CloudScout modules, as seen in Figure 2, suggests that the CloudScout toolset might have been developed around 2020. Even though the legitimacy of the .NET manifest is questionable, it is consistent across all the samples that we found. In addition, different versions stated in the AssemblyVersion of CGD and CGM reflect the changes added to their code base.

Figure 2. Manifest of CGD module
Figure 2. Manifest of CGD module

We also found different versions of the embedded internal custom-made library package CommonUtilities. Table 1 shows different versions of CGD, CGM, and COL containing different versions of CommonUtilities.

Table 1. Versions of CloudScout modules

Module Version SHA-1 CommonUtilities version
CGD 1.0.11 67028AEB095189FDF18B2D7B775B62366EF224A9 1.0.08
1.0.14 B3556D1052BF5432D39A6068CCF00D8C318AF146 1.0.10
1.0.17 84F6B9F13CDCD8D9D15D5820536BC878CD89B3C8 1.0.11
CGM 1.0.11 4A5BCDAAC0BC315EDD00BB1FCCD1322737BCBEEB 1.0.08
1.0.13 C058F9FE91293040C8B0908D3DAFC80F89D2E38B 1.0.10
1.0.14 621E2B50A979D77BA3F271FAB94326CCCBC009B4 1.0.11
COL 1.0.10 93C1C8AD2AF64D0E4C132F067D369ECBEBAE00B7 1.0.08

Assuming that the .NET manifest is accurate, in 2020 alone, we observed three new toolsets from Evasive Panda. The other two instances are the first appearance of Nightdoor and a new UDP variant of MgBot (succeeding the UDT variant).

Old dog, new tricks

From a common RC4 encryption key shared by the three modules, we performed a retrohunt and discovered that CGM was deployed by an MgBot plugin called Gmck.dll, which was programmed in C++. The plugin was detected in an incident in 2022 where two machines from the aforementioned religious institution in Taiwan were compromised by Evasive Panda. In that incident (illustrated in Figure 3), MgBot installed the CGM module, which in turn accessed the victim’s Gmail account to download emails and personal information.

Figure 3. Compromise chain
Figure 3. Compromise chain observed in the aforementioned network of a religious institution in Taiwan

Gmck.dll (which we will refer to as Gmck) carries the .NET module CGM within its binary. In order to execute CGM, Gmck first drops the module to disk at a hardcoded path, then starts the common language runtime (CLR) using ICLRMetaHost and ICLRRuntimeHost. Finally, it calls ExecuteInDefaultAppDomain with a reference to CGM’s entry point function (ModuleStart), as seen in Figure 4.

Figure 4. Code to load the CGM DLL
Figure 4. Code to load the CGM DLL

According to our telemetry, CGD and COL modules are also written to the same staging folder, as shown in Table 2.

Table 2. Paths where CloudScout modules are deployed

MgBot plugin Deployment path CloudScout module
Gmck.dll %ProgramData%\NVIDlA\gmck\msvc_4.dll CGM
N/A %ProgramData%\NVIDlA\olck\msvc_4.dll COL
N/A %ProgramData%\NVIDlA\dankdh\msvc_4.dll CGD

The staging folder NVIDlA is purposely misspelled using a simple homograph: it’s all in uppercase letters except that the letter after the D is a lowercase letter el. The subfolders (as highlighted) seem to be named after the MgBot plugins. Unfortunately, we have been unable to obtain the olck and dankdh plugins.

After the CGM module is successfully deployed, the Gmck plugin needs to provide browser cookies to CGM in the form of a configuration file. Gmck extracts these cookies from web browser database files listed in Table 3. With the release of App-Bound Encryption in Chrome 127 and Edge 128, Gmck is no longer able to decrypt Cookies database files from Chrome and Edge.

Table 3. Database files from which Gmck extracts cookies

Targeted browser Database files
Chrome %localappdata%\Google\Chrome\User Data\Local State
%localappdata%\Google\Chrome\User Data\<username>\Network\Cookies
Edge %localappdata%\Microsoft\Edge\User Data\Local State
%localappdata%\Microsoft\Edge\User Data\<username>\Network\Cookies
Firefox %AppData%\Mozilla\Firefox\profiles.ini
%AppData%\Mozilla\Firefox\<profile_name>\cookies.sqlite

The configuration file must have a .dat extension and be RC4 encrypted using the key 0dda5a8d⁠-⁠e4c2⁠-⁠477d⁠-⁠85df⁠-⁠fcb611a62ffe in order to be recognized by CGM. This RC4 key is used by all three CloudScout modules to decrypt the configuration files, which means the MgBot plugins must also use this key for encryption.

Figure 5 summarizes the relationship between Gmck and CGM.

Figure 5. Interactions between Gmck and CGM
Figure 5. Interactions between Gmck and CGM

Configuration

The configuration file cm_cke_<yyyyymmdd>_<hhmmss>.dat in Figure 5 is provided by the MgBot plugin after it extracts cookies from a web browser’s database. The CloudScout module obtains a new configuration by continuously monitoring its working directory, looking for files with .dat extensions. For each .dat file that it finds, the CloudScout module spawns a new thread to handle the file, which means it can handle multiple configuration files at the same time. The newly spawned thread handles a full collection cycle, from parsing the configuration to downloading all the targeted data. At the end of the cycle, the configuration file is removed from disk to prevent accidentally repeating the same cycle.

The configuration file is in JSON format. It contains two main data structures: token and config. The token structure contains the cookies organized by domain name. And config contains settings for downloading and staging the collected data for exfiltration, as well as for keeping the program running or exiting after a successful cycle (dealone field). An example of a configuration file is included in Figure 6.

Figure 6. An example of a configuration generated by the Gmck plugin for the CGM module
Figure 6. An example of a configuration generated by the Gmck plugin for the CGM module

CommonUtilities: The heart of CloudScout

At the heart of CloudScout is the CommonUtilities package, which provides all necessary low-level libraries for the modules to run, as illustrated in Figure 7. This package is stored in the resources section of CloudScout modules and is loaded at the beginning of the ModuleStart function.

Figure 7. Overview of the design of CommonUtilities
Figure 7. Overview of the design of CommonUtilities

As seen in Figure 8, the .NET manifest of CommonUtilities reveals all of its client modules.

Figure 8. Manifest of CommonUtilities
Figure 8. Manifest of CommonUtilities

CommonUtilities contains quite a few custom-implemented libraries despite the abundant availability of similar open-source libraries online. These custom libraries give the developers more flexibility and control over the inner workings of their implant, compared to open-source alternatives. They also manifest certain unpredictable behaviors that forced us to dig deep into the code to understand. Examples of these custom libraries are HTTPAccess and ManagedCookie.

HTTPAccess provides necessary functions to handle all the HTTP communications of CloudScout modules. It has the capability of modifying HTTP headers, as shown in Figure 9.

Figure 9. Code in HTTPAccess to modify HTTP headers
Figure 9. Code in HTTPAccess to modify HTTP headers

As highlighted in this code snippet, the this.mngCk object, an instance of the ManagedCookie class, is used to integrate cookies into the crafted HTTP headers. As the name suggests, ManagedCookie provides functions to manage cookies for web requests between CloudScout and targeted cloud services. What makes this class special is its comprehensive list of cookie parsers capable of turning most cookies into default .NET cookie objects. Figure 10 shows the different regexes created to match various combinations of attribute-value pairs in cookies.

Figure 10. Different regexes to handle various combinations of attribute-value pairs in cookies
Figure 10. Different regexes to handle various combinations of attribute-value pairs in cookies

The frame of CloudScout

All CloudScout modules share a uniform architecture, as shown in Figure 11. The core functionality of the module is in the Cloud namespace, which is nearly identical in each module. The implementation only diverges in functions related to authentication and data retrieval, where each module needs to generate specific web requests or to parse certain web responses according to the cloud service it targets.

Figure 11. Common design shared by three CloudScout modules
Figure 11. Common design shared by three CloudScout modules

The streamlined design of CloudScout and the core logic of the Cloud namespace is illustrated in Figure 12.

Figure 12. Overview of the design of a CloudScout module
Figure 12. Overview of the design of a CloudScout module

Authentication

Cookies in general are not very well documented by web platforms. Authentication cookies tend to have short lifespans and are frequently updated as the user interacts with the platform via a web browser. However, as long as the sessions are still valid, the cookies listed in Table 4 can be abused by CloudScout to access and download valuable data from cloud services.

Table 4. Authentication cookies handled by the CloudScout modules

Service Domain Required cookies
Google Drive drive.google.com
accounts.google.com
OSID, HSID, SID, SSID, APISID, SAPISID, LSID
Gmail mail.google.com
accounts.google.com
Outlook outlook.live.com
login.live.com
X-OWA-CANARY, RPSSecAuth, ClientId

X-OWA-CANARY is a security cookie used by Microsoft Outlook Web Access (OWA) to prevent cross-site request forgery attacks. It is assigned at the beginning of each session when the user is authenticated. CloudScout’s COL module implements a mechanism to retrieve this cookie when it is not available, by establishing a new session using the RPSSecAuth and ClientId cookies to reauthenticate, as shown in Figure 13.

Figure 13. Code to get the X-OWA-CANARY cookie
Figure 13. Code to get the X-OWA-CANARY cookie

Data retrieval

After authentication, the CloudScout modules browse the compromised cloud service accounts in a manner similar to how a regular user would with a web browser. To achieve this, each CloudScout module is equipped with a set of hardcoded web requests to perform, along with complex HTML parsers, which identify and extract the data of interest from the web responses.

For example, the CGM and COL modules are interested in mail folder listings and email messages, targeting Gmail and Outlook, respectively. Figure 14 shows the steps that CGM performs to extract email headers, email bodies, and attachments from the HTML content served by the Gmail web server.

Figure 14. Code to parse an HTML page to extract email message data
Figure 14. Code to parse an HTML page to extract email message data

On the other hand, CGD is interested in user information from Google Drive; a full directory hierarchy; and files with extensions .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and .txt. Figure 15 is the code snippet from CGD to generate a download URL for a document.

Figure 15. Code to generate a download URL from Google Drive
Figure 15. Code to generate a download URL from Google Drive

The module appends a custom header to each downloaded item, whether it is a file or an email. This custom header includes metadata of the item such as client ID (assigned by the malware), email subject, or filename, and the username of the cloud service (Table 5). The added header most likely allows stolen data to be processed at scale, by automated systems, for quick indexing or to perform analysis.

Table 5. Custom headers for downloaded email and files

Mail header File header
tasktype:
taskid:
clientid:
objectname:
mailid:
username:
subject:=?utf-8?b?<base64_encoded_data>?=
froms:=?utf-8?b?<base64_encoded_data>?=
tos:=?utf-8?b?<base64_encoded_data>?=
type:
sourceflag: {Outlook|Gmail}
filepath:
mailcountry:
attachment:
mailboxtype:{outlook|gmail}
folder:=?utf-8?b? <base64_encoded_data>?=
time: <yyyy-MM-dd HH:mm:ss>
captime: <yyyy-MM-dd HH:mm:ss>
tasktype:
taskid:
clientid:
objectname:
username:
skydrivetype:googledrive
path:=?utf-8?b? ?<base64_encoded_data>?=
source:googledrive
filename:=?utf-8?b? ?<base64_encoded_data>?=
key:
filetime: <yyyy-MM-dd HH:mm:ss>
size:
type:googledrive
captime: <yyyy-MM-dd HH:mm:ss>

After adding the header, each item is encrypted using the same RC4 key as used for the configuration file and stored with the filename <pseudorandom_GUID>.<custom_extension>, where <custom_extension> indicates the type of stolen data, as listed in Table 6.

Table 6. Filename extension for each data category

Data category CGD CGM or COL
Personal information .pc_plug_googledrive_profile N/A
Email N/A .pc_plug_gmck_email
Directory listing .pc_plug_googledrive_filelist .pc_plug_gmck_email_list
File .pc_plug_googledrive_file N/A

Next, all items are compressed into a ZIP archive named <pseudorandom_GUID>.hxkz_zip and placed in a directory for exfiltration as specified by the datapath field of the configuration. This archive can later be exfiltrated by either MgBot or Nightdoor. In the final step, the CloudScout modules do a full cleanup, removing all artifacts generated during the collection cycle except the files to be exfiltrated, before checking the dealone flag to either exit or to continue and wait for a new configuration file to start a new collection cycle.

Conclusion

CloudScout is a .NET toolset used by Evasive Panda to steal data stored in cloud services. It is implemented as an extension to MgBot and uses the pass-the-cookie technique to hijack authenticated sessions from web browsers.

In this blogpost, we have highlighted the professional design behind the CloudScout framework to demonstrate Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations.

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.

Files

SHA-1 Filename Detection Description
C70C3750AC6B9D7B033ADDEF838EF1CC28C262F3 pmsrvd.dll Win32/Agent.AELQ MgBot loader.
812124B84C5EA455F7147D94EC38D24BDF159F84 pmsrvd.dll Win32/Agent.AELQ MgBot loader.
AD6C84859D413D627AC589AEDF9891707E179D6C 3.exe Win32/Agent.ADJV MgBot dropper.
3DD958CA6EB7E8F0A0612D295453A3A10C08F5FE 1.exe Win32/Agent.ADJV MgBot dropper.
547BD65EEE05D744E075C5E12FB973A74D42438F doc.exe Win32/Agent.AFXX Nightdoor dropper.
348730018E0A5554F0F05E47BBA43DC0F55795AC DJCU.dll Win32/Nightdoor.A Nightdoor loader.
9B6A473820A72111C1A38735992B55C413D941EE CommonUtilities.dll MSIL/Agent.UEK CloudScout internal library package version 1.0.0.
621E2B50A979D77BA3F271FAB94326CCCBC009B4 CGM.dll MSIL/CloudScout.A CloudScout Gmail stealer version 1.0.14.
C058F9FE91293040C8B0908D3DAFC80F89D2E38B CGM.dll MSIL/CloudScout.A CloudScout Gmail stealer version 1.0.13.
4A5BCDAAC0BC315EDD00BB1FCCD1322737BCBEEB CGM.dll MSIL/CloudScout.A CloudScout Gmail stealer version 1.0.18.
67028AEB095189FDF18B2D7B775B62366EF224A9 CGD.dll MSIL/CloudScout.A CloudScout Google Drive stealer version 1.0.11.
B3556D1052BF5432D39A6068CCF00D8C318AF146 CGD.dll MSIL/CloudScout.A CloudScout Google Drive stealer version 1.0.14.
84F6B9F13CDCD8D9D15D5820536BC878CD89B3C8 CGD.dll MSIL/CloudScout.A CloudScout Google Drive stealer version 1.0.17.
93C1C8AD2AF64D0E4C132F067D369ECBEBAE00B7 COL.dll MSIL/CloudScout.A CloudScout Outlook Web Access stealer version 1.0.10.
8EAA213AE4D482938C5A7EC523C83D2C2E1E8C0E CommonUtilities.dll MSIL/CloudScout.A CloudScout internal library package version 1.0.8.
A1CA41FDB61F03659168050DE3E208F0940F37D8 CommonUtilities.dll MSIL/CloudScout.A CloudScout internal library package version 1.0.11.

Network

IP Domain Hosting provider First seen Details
103.96.128[.]44 N/A IRT⁠-⁠WUZHOUHULIAN⁠-⁠HK 2022⁠-⁠05⁠-⁠26 MgBot and Nightdoor C&C server.

MITRE ATT&CK techniques

This table was built using version 15 of the MITRE ATT&CK framework.

Tactic ID Name Description
Resource Development T1583.004 Acquire Infrastructure: Server Evasive Panda acquired servers for the C&C infrastructure of MgBot and Nightdoor.
T1587.001 Develop Capabilities: Malware Evasive Panda developed custom implants such as MgBot, CloudScout, and Nightdoor.
Execution T1569.002 System Services: Service Execution MgBot is executed as a Windows service.
T1106 Execution through API The MgBot installer uses Windows APIs to create processes. Gmck uses ExecuteInDefaultAppDomain to execute CGM in the CLR.
Persistence T1543.003 Create or Modify System Process: Windows Service MgBot replaces the existing Application Management service DLL path with its own.
Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Access Control MgBot performs UAC bypass.
Defense Evasion T1140 Deobfuscate/Decode Files or Information Gmck decrypts Chrome, Edge, and Firefox web browser databases to extract cookies.
T1112 Modify Registry MgBot modifies the registry for persistence.
T1027 Obfuscated Files or Information Gmck obfuscates the configuration that contains cookies.
T1550.004 Use Alternate Authentication Material: Web Session Cookie CloudScout uses stolen cookies to access cloud resources.
T1036.005 Masquerading: Match Legitimate Name or Location CloudScout modules are installed to %ProgramData%\NVIDlA to mimic an NVIDIA directory.
Credential Access T1539 Steal Web Session Cookie Gmck steals cookies.
Discovery T1082 System Information Discovery MgBot collects system information.
Collection T1560.001 Archive Collected Data: Archive via Utility CloudScout modules use SharpZipLib to compress data before exfiltration.
T1530 Data from Cloud Storage Object CGD downloads files stored on Google Drive.
T1114.002 Email Collection: Remote Email Collection CGM and COL access and collect emails from Gmail and Outlook Web Access, respectively.
Command and Control T1095 Non-Application Layer Protocol MgBot communicates with its C&C via UDP.
Exfiltration T1041 Exfiltration Over C2 Channel MgBot exfiltrates collected data to its C&C.

Related Articles

Latest Articles