Chinese Cybercriminals Exploit CloudScout Toolkit to Pilfer Session Cookies from Cloud Services
A governmental agency and a religious group in Taiwan fell victim to an entity associated with China, dubbed Evasive Panda, which infected them with an undisclosed post-compromise toolset named CloudScout.
“As stated by Anh Ho, a security researcher at ESET, the CloudScout toolkit is proficient at obtaining information from diverse cloud platforms by utilizing pilfered web session cookies. This toolset seamlessly integrates with MgBot, the distinctive malicious framework of Evasive Panda,” revealed Ho.
According to the findings of the Slovak cybersecurity firm, the employment of the .NET-powered malicious tool was identified between May 2022 and February 2023. It encompasses 10 distinct units, scripted in C#, among which three are specialized in retrieving data from Google Drive, Gmail, and Outlook. The intentions behind the remaining units remain undisclosed.
Evasive Panda, known by various aliases like Bronze Highland, Daggerfly, and StormBamboo, is a group involved in cyber espionage, with a history of targeting multiple entities in Taiwan and Hong Kong. It has also been recognized for executing watering hole and supply chain assaults aimed at the Tibetan diaspora.
What distinguishes this threat actor is its utilization of numerous initial infiltration vectors, spanning from just-discovered security vulnerabilities to infiltrating the supply chain via DNS tampering, to compromise recipient networks and deploy MgBot and Nightdoor.
ESET mentioned that the CloudScout modules are structured to hijack authenticated sessions in the web browser by seizing the cookies and utilizing them to obtain unauthorized entry to Google Drive, Gmail, and Outlook. Each of these modules is put into action by an MgBot plugin, coded in C++.
“In the core of CloudScout lies the CommonUtilities pack, which serves as the supplier of all vital low-level libraries for the modules to operate,” clarified Ho.
“While various similar open-source libraries are readily available online, CommonUtilities houses several self-implemented libraries. These proprietary libraries grant the developers greater leeway and authority over the components of the implant, contrary to open-source alternatives.”
The components incorporate –
- HTTPAccess, which provides functionalities for managing HTTP communications
- ManagedCookie, which furnishes tools for dealing with cookies for web requests between CloudScout and the specified service
- Logger
- SimpleJSON
The data collected by the three modules – mail folder listings, email messages (inclusive of attachments), and files matching particular extensions (.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and .txt) – is compressed into a ZIP file for later extraction by either MgBot or Nightdoor.
Nevertheless, recent security measures implemented by Google such as Device Bound Session Credentials (DBSC) and App-Bound Encryption are likely to make cookie-theft malware outmoded.
“Evasive Panda leverages CloudScout, a .NET toolkit, to pilfer data preserved in cloud services. The toolkit is implemented as an extension to MgBot and exploits the pass-the-cookie technique to seize authenticated sessions from web browsers,” Ho clarified.
This development coincides with accusations from the Canadian Government, attributing a “highly advanced state-supported threat actor” from China with undertaking extensive reconnaissance operations covering multiple domains in Canada over several months.
“The majority of targeted organizations were Government of Canada departments and agencies, in addition to federal political entities, the House of Commons, and Senate,” as cited in a statement.
“They also aimed at numerous entities including democratic institutions, vital infrastructures, the military sector, media organizations, think tanks, and non-governmental organizations.”
About Author
