A newly documented toolset, CloudScout, developed by the advanced persistent threat (APT) group Evasive Panda, has been identified as targeting Taiwanese institutions to infiltrate and extract cloud-based data.
The attacks, spanning 2022 to 2023 and discovered by ESET, reveal how CloudScout exploits session cookies stolen by MgBot plugins to access Google Drive, Gmail and Outlook accounts without the need for direct authentication.
Evasive Panda, a China-aligned group active since at least 2012, has focused on cyber-espionage in Taiwan, where it previously targeted both a government entity and a religious institution.
“Evasive Panda has accumulated an impressive list of attack vectors. We have seen its operators conduct sophisticated TTPs such as supply-chain and watering-hole attacks and DNS hijacking; in addition, they have abused the latest CVEs affecting Microsoft Office, Confluence and web server applications,” ESET explained.
“The group also demonstrates a strong capability for malware development, which is showcased in its deep collection of multi-platform backdoors for Windows, macOS, and Android.”
CloudScout’s three identified modules – CGD, CGM and COL – serve distinct purposes: CGD targets Google Drive, CGM targets Gmail and COL targets Outlook. Each module uses compromised cookies to bypass two-factor authentication, allowing direct access to cloud-stored data.
Key features of CloudScout include:
-
Seamless integration with MgBot, Evasive Panda’s main malware framework
-
Access to targeted cloud services by emulating authenticated user sessions
-
Automated data extraction from Google Drive, Gmail and Outlook without user credentials
Read more on cookie-based malware attacks: New Malware WarmCookie Targets Users with Malicious Links
The internal framework of CloudScout is engineered to process complex tasks, including configuring, managing and decrypting cookies required for the modules to establish web requests.
CloudScout's CommonUtilities package also facilitates its operation by managing HTTP requests and cookie parsing, making the tool adaptable to the varied structures of each targeted service. The malware can independently monitor directories for new configuration files, prompting data extraction cycles that delete evidence of activity after each cycle.
Researchers have observed how CloudScout employs targeted methods that appear designed for Taiwanese users, indicated by language preferences and region-specific configurations embedded in its modules.
Analysis also indicates that CloudScout may have additional modules targeting social media, such as Facebook and Twitter, though these modules remain unseen in active deployments.