Evasive Panda scouting cloud services

The article conducts a technical analysis of CloudScout, a post-compromise toolset employed by the advanced persistent threat (APT) group Evasive Panda to compromise a government entity and a religious organization in Taiwan during a span from 2022 to 2023. CloudScout is designed to extract sensitive data from cloud services by utilizing stolen web session cookies, facilitated through MgBot, Evasive Panda’s principal malware framework.

CloudScout was notably detected in two key incidents: the first in May 2022 involving a religious institution, where it was installed alongside the MgBot and Nightdoor malware; and the second in February 2023, targeting a suspected Taiwanese government entity. The analysis indicates that the toolset employs a modular architecture with three identified modules specifically designed to infiltrate Google Drive, Gmail, and Outlook, with indications of at least seven additional undetected modules.

Evasive Panda, also known by various names including BRONZE HIGHLAND and Daggerfly, has been operational since at least 2012 and aims to conduct cyberespionage against entities opposing Chinese interests, particularly in Taiwan and Hong Kong, and has extended its operations to nations like Vietnam and South Korea. The group is characterized by a diverse range of sophisticated attack tactics, techniques, and procedures (TTPs), including supply chain attacks and DNS hijacking. Their malware development capabilities are significant, illustrated by their creation of multipurpose backdoors for various operating systems.

In early 2023, three previously unknown .NET modules (CGD, CGM, and COL) were observed, demonstrating the group’s capability to target widely used public cloud services through a method known as cookie hijacking. By stealing web session cookies, attackers can bypass robust security measures like two-factor authentication, successfully retrieving sensitive data directly from stored locations. Although CloudScout has not been previously documented, the article provides a detailed look into its modular framework and code analysis, revealing its extensive functionalities.

An examination of the design and deployment of CloudScout highlights its structured modular approach, with each component programmatically compiled in C#. The toolset was developed around 2020, showcasing a blend of custom and existing libraries to manipulate authentication cookies from major cloud providers, ultimately facilitating unauthorized access and data exfiltration.

The analysis further describes the inner workings of CloudScout modules, including cookie extraction from browsers and structured data retrieval from targeted cloud services. The modules were deployed in cleverly named directories, showcasing efforts to obfuscate and disguise their identity. Each cloud service targeted by CloudScout requires specific authentication cookies, such as OSID and HSSID for Google Drive, and RPSSecAuth for Outlook.

Through detailed telemetry data, the article outlines specific mechanisms employed by CloudScout, linking its powerful capabilities to Evasive Panda’s strategic espionage operations. The modules not only fetch various types of data but also manage complex processes for data encryption and systematic collection, underscoring a high level of operational sophistication.

The article concludes that CloudScout embodies a significant advancement in Evasive Panda’s technological framework for espionage, pointing to cloud-stored data as a pivot for their strategies. With evolving defenses, such as Google and Chrome’s newly implemented security measures against cookie theft, the longevity and effectiveness of CloudScout could be challenged, indicating a shift in the cybersecurity landscape.

In addition to providing insight into the operational profile of Evasive Panda, the article also underscores the increasing importance of cloud service security and the need for robust measures to counteract advanced malicious threats aiming to exploit user data for espionage. The accompanying discussion of indicators of compromise (IoCs) and other technical specifics enriches the overall understanding of CloudScout’s functionality within the broader context of cyber threats.