A government agency and a religious institution in Taiwan were targeted by a China-affiliated threat actor known as Evasive Panda, which deployed a previously unreported post-compromise toolset referred to as CloudScout.
According to ESET security researcher Anh Ho, “The CloudScout toolset can extract data from various cloud platforms by utilizing stolen web session cookies.” He further noted that CloudScout integrates smoothly with MgBot, the signature malware framework of Evasive Panda, through a plugin.
The Slovak cybersecurity firm identified the use of this .NET-based malware tool between May 2022 and February 2023. It consists of ten distinct modules, developed in C#, three of which are specifically designed to exfiltrate data from Google Drive, Gmail, and Outlook, while the functions of the remaining modules remain unclear.
Evasive Panda, also known by other aliases such as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group recognized for targeting various organizations in Taiwan and Hong Kong. The group is also infamous for executing watering hole and supply chain attacks aimed at the Tibetan diaspora.
What distinguishes this threat actor is its employment of multiple initial access methods, which include exploiting newly discovered security vulnerabilities and compromising supply chains through DNS poisoning, thereby infiltrating victim networks to deploy MgBot and Nightdoor.
ESET reported that the CloudScout modules are engineered to hijack authenticated web browser sessions by stealing cookies, allowing unauthorized access to Google Drive, Gmail, and Outlook. Each module is activated via an MgBot plugin, which is coded in C++.
“Central to CloudScout is the CommonUtilities package, which supplies all essential low-level libraries required for the modules to function,” Ho elaborated. “Despite the wide availability of similar open-source libraries, CommonUtilities includes several custom-implemented libraries, providing developers with enhanced flexibility and control over the functionality of their implant.”
