ESET discovers CloudScout: China-aligned Evasive Panda targets Taiwan and data stored in the cloud

Next story
  • ESET Research discovers the CloudScout toolset, detected in Taiwan between 2022 and 2023, in the networks of a religious institution and a government entity.
  • The toolset is used by the China-aligned Evasive Panda group for cyberespionage.
  • CloudScout utilises stolen cookies, provided by MgBot plugins, to access and exfiltrate data stored on various cloud services.
  • We analysed three CloudScout modules, which aim to steal data from Google Drive, Gmail, and Outlook. We believe that at least seven additional modules exist.

MONTREAL, BRATISLAVA — October 28, 2024 — ESET researchers discovered a previously undocumented toolset used by the China-aligned group, Evasive Panda, to access and retrieve data from cloud services such as Google Drive, Gmail, and Outlook. The post-compromise toolset CloudScout was used to target a government entity and a religious organisation in Taiwan from 2022 to 2023. Aiming at cyberespionage, CloudScout is capable of retrieving data from various cloud services by leveraging stolen web session cookies.

Evasive Panda deployed three previously unknown .NET modules designed to access public cloud services by hijacking authenticated web sessions. This technique relies on stealing cookies from a web browser database, and then using them in a specific set of web requests to gain access to cloud services. Unlike stolen credentials, which may be blocked by security features such as two-factor authentication (2FA) and IP tracking, stolen web session cookies allow the attacker, right from the victim’s machine, to retrieve data stored in the cloud. CloudScout is implemented as an extension to MgBot backdoor plugins. Hardcoded fields in CloudScout’s web requests for stealing Outlook email messages suggest that the samples involved were crafted to target Taiwanese users.

In May 2022, the network of a Taiwanese religious institution was compromised with MgBot and Nightdoor. In this incident, MgBot was used to install a plugin that deploys a CloudScout module. In February 2023, CloudScout modules and the Nightdoor implant were detected at what we suspect is a Taiwanese government entity.

After authentication, the CloudScout modules browse the compromised cloud service accounts in a manner similar to how a regular user would in a web browser. To achieve this, each CloudScout module is equipped with a set of hardcoded web requests to perform, along with complex HTML parsers, that identify and extract the data of interest from the web responses. The data is exfiltrated and in the final step, the CloudScout modules do a full cleanup, removing all artifacts generated during the collection cycle except the files to be exfiltrated. After that, they either exit or continue and wait for a new configuration file to start a new collection cycle.

“The professional design behind the CloudScout framework demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations,” explains ESET researcher Anh Ho, who discovered CloudScout.

Evasive Panda (also known as BRONZE HIGHLAND, Daggerfly, or StormBamboo) is a China-aligned APT group, operating since at least 2012. Evasive Panda’s objective is cyberespionage against countries and organisations opposing China’s interests through independence movements such as those in the Tibetan diaspora, religious and academic institutions in Taiwan and in Hong Kong, and supporters of democracy in China. At times, ESET has also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea. Evasive Panda has accumulated an impressive list of attack vectors. We have seen its operators conduct sophisticated TTPs such as supply-chain and watering-hole attacks, and DNS hijacking.

For a more detailed analysis and technical breakdown of CloudScout, check out the latest ESET Research blogpost “CloudScout: Evasive Panda scouting cloud services” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Compromise chain observed in the network of a religious institution in Taiwan