Threat Research

CloudScout: Evasive Panda’s Cloud Service Exploration

ESET-welivesecurity

CloudScout is a .NET post-compromise toolset used by the Evasive Panda APT to access and exfiltrate data from cloud services by hijacking web session cookies, deployed against a Taiwanese government entity and a religious organization from 2022 to 2023. The framework operates with MgBot to target Google Drive, Gmail, and Outlook, illustrating advanced cloud-based cyberespionage capabilities. #CloudScout #EvasivePanda #MgBot #Nightdoor #Gmck #GoogleDrive #Gmail #Outlook #Taiwan

Keypoints

  • The CloudScout toolset was detected in Taiwan, targeting a religious institution and a government entity.
  • CloudScout utilizes stolen cookies via MgBot plugins to access and exfiltrate data from cloud services.
  • Three CloudScout modules were analyzed, targeting Google Drive, Gmail, and Outlook, with indications of at least seven additional modules.
  • Hardcoded fields in requests suggest targeting of Taiwanese users.
  • CloudScout modules are programmed in C#, while MgBot plugins are in C++; the architecture is modular and data retrieval is designed for scalable exfiltration.
  • Evasive Panda is a China-aligned APT group focused on cyberespionage against entities opposing Chinese interests.
  • Recent security measures by Google and others may render CloudScout obsolete.

MITRE Techniques

  • [T1583.004] Acquire Infrastructure: Server – “Evasive Panda acquired servers for the C&C infrastructure of MgBot and Nightdoor.”
  • [T1587.001] Develop Capabilities: Malware – “Evasive Panda developed custom implants such as MgBot, CloudScout, and Nightdoor.”
  • [T1569.002] System Services: Service Execution – “MgBot is executed as a Windows service.”
  • [T1106] Execution through API – “The MgBot installer uses Windows APIs to create processes. Gmck uses ExecuteInDefaultAppDomain to execute CGM in the CLR.”
  • [T1543.003] Create or Modify System Process: Windows Service – “MgBot replaces the existing Application Management service DLL path with its own.”
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Access Control – “MgBot performs UAC bypass.”
  • [T1140] Deobfuscate/Decode Files or Information – “Gmck decrypts Chrome, Edge, and Firefox web browser databases to extract cookies.”
  • [T1112] Modify Registry – “MgBot modifies the registry for persistence.”
  • [T1027] Obfuscated Files or Information – “Gmck obfuscates the configuration that contains cookies.”
  • [T1550.004] Use Alternate Authentication Material: Web Session Cookie – “CloudScout uses stolen cookies to access cloud resources.”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – “CloudScout modules are installed to %ProgramData%NVIDlA to mimic an NVIDIA directory.”
  • [T1539] Steal Web Session Cookie – “Gmck steals cookies.”
  • [T1082] System Information Discovery – “MgBot collects system information.”
  • [T1560.001] Archive Collected Data: Archive via Utility – “CloudScout modules use SharpZipLib to compress data before exfiltration.”
  • [T1530] Data from Cloud Storage Object – “CGD downloads files stored on Google Drive.”
  • [T1114.002] Email Collection: Remote Email Collection – “CGM and COL access and collect emails from Gmail and Outlook Web Access, respectively.”
  • [T1095] Non-Application Layer Protocol – “MgBot communicates with its C&C via UDP.”
  • [T1041] Exfiltration Over C2 Channel – “MgBot exfiltrates collected data to its C&C.”

Indicators of Compromise

  • [IP] Command and control server access – 103.96.128.44 (First seen 2022-05-26), hosting provider IRT-WUZHOUHULIAN-HK.
  • [SHA-1] CloudScout/MgBot-related binaries – C70C3750AC6B9D7B033ADDEF838EF1CC28C262F3, 812124B84C5EA455F7147D94EC38D24BDF159F84 (MgBot loader).
  • [File name] Loaders/Dropppers – pmsrvd.dll (MgBot loader), 3.exe (MgBot dropper).
  • [Domain] Cloud service targets – drive.google.com, mail.google.com (used by Google Drive and Gmail modules).

Read more: https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/