Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

support@dedirock.com

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

A government entity and a religious organization in Taiwan were targeted by a China-linked threat actor known as Evasive Panda, which infected them with a previously undocumented post-compromise toolset named CloudScout.

“The CloudScout toolset can retrieve data from a variety of cloud services by leveraging stolen web session cookies,” stated ESET security researcher Anh Ho. “Through a plugin, CloudScout operates seamlessly with MgBot, Evasive Panda’s primary malware framework.”

The usage of this .NET-based malware tool was identified between May 2022 and February 2023 by the Slovak cybersecurity company. It consists of 10 distinct modules written in C#, three of which are specifically designed for stealing data from Google Drive, Gmail, and Outlook. The functions of the remaining modules are yet to be determined.

Evasive Panda, which is also known as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group recognized for attacking various entities in Taiwan and Hong Kong. The group is notorious for conducting watering hole and supply chain attacks that primarily target the Tibetan diaspora.

One defining feature of this threat actor is its diverse array of initial access methods, which range from exploiting newly discovered security vulnerabilities to compromising supply chains through DNS poisoning, leading to network breaches and the deployment of MgBot and Nightdoor.

ESET reported that CloudScout’s modules are engineered to hijack authenticated sessions in web browsers by stealing cookies and utilizing them to gain unauthorized access to services like Google Drive, Gmail, and Outlook. Each module is initiated through an MgBot plugin programmed in C++.

“At the core of CloudScout is the CommonUtilities package, which provides essential low-level libraries for the modules to function,” Ho explained.

“CommonUtilities includes many custom libraries, despite the availability of similar open-source options online. These customized libraries offer developers greater flexibility and control over the operation of their implant, compared to using open-source solutions.”

This encompasses:

  • HTTPAccess for managing HTTP communications
  • ManagedCookie for handling cookies in web requests between CloudScout and the targeted service
  • Logger
  • SimpleJSON

The data acquired by the three modules—which includes mail folder listings, email messages (attachments included), and files with specific extensions (.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and .txt)—is compiled into a ZIP archive for further exfiltration by either MgBot or Nightdoor.

However, new security measures introduced by Google, such as Device Bound Session Credentials (DBSC) and App-Bound Encryption, are expected to render cookie-theft malware ineffective.

“CloudScout is a .NET toolset employed by Evasive Panda to harvest data stored in cloud services,” Ho said. “It acts as an extension to MgBot and utilizes the pass-the-cookie method to hijack authenticated sessions from web browsers.”

This development coincides with the Government of Canada accusing a “sophisticated state-sponsored threat actor” from China of engaging in extensive reconnaissance efforts over several months across numerous domains in Canada.

“The majority of the organizations impacted were departments and agencies of the Government of Canada, along with federal political parties, the House of Commons, and the Senate,” it stated.

“They also targeted a multitude of organizations, including democratic institutions, critical infrastructure, the defense sector, media outlets, think tanks, and NGOs.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x