The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a sleek, professional post-compromise toolset that retrieves data from various cloud services by leveraging stolen Web session cookies.
That’s according to researchers at ESET, who uncovered CloudScout while investigating a pair of past breaches in Taiwan (targeting a religious institution and a government entity).
CloudScout is written in .NET, and it’s designed to work seamlessly with MgBot, Evasive Panda’s proprietary malware framework. Via a plug-in architecture, MgBot feeds CloudScout previously stolen cookies, which it then uses to access and infiltrate data from the cloud, using the pass-the-cookie technique to hijack authenticated sessions from Web browsers.
ESET researchers observed individual CloudScout modules targeting Google Drive, Gmail, and Outlook, but in all, they believe Evasive Panda has developed modules for attacks on least 10 different cloud apps. Â
“These modules are designed to access public cloud services … by hijacking authenticated Web sessions,” according to ESET’s analysis, released on Oct. 28. “This technique relies on stealing cookies from a Web browser database, then using them in a specific set of Web requests to gain access to cloud services,” thus avoiding authentication checks like two-factor authentication (2FA) and IP tracking.
After authentication, the CloudScout modules use a set of hardcoded Web requests, as well as complex HTML parsers to identify and extract any data of interest from Web responses, such as email folder listings and email messages. Once the data is collected, it’s compressed into a .zip archive that can then be exfiltrated by either MgBot or another proprietary backdoor called Nightdoor.
Chinese APT Hones Cyberespionage Arsenal
Evasive Panda (aka Bronze Highland, Daggerfly, or StormBamboo) is an advanced persistent threat (APT) that’s been operating since at least 2012, focused mainly on cyber espionage against civil society targets.
These include “independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China,” ESET researchers noted. “At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea.” It has also been seen targeting a handful of victims in Nigeria.
The Chinese APT is known for consistently evolving its cyberattack techniques, but the latest iteration is notable in its sophistication, the researchers wrote.
According to ESET, “The professional design behind the CloudScout framework … demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations.”