From Gmail to Google Drive: How Evasive Panda Exploits Cloud Services with CloudScout
Ddos 
Interactions between Gmck and CGM | Image: ESET
In a recent discovery, ESET researchers unveiled “CloudScout,” a sophisticated cyberespionage toolset employed by the advanced persistent threat (APT) group called Evasive Panda. This China-aligned group has reportedly used CloudScout to infiltrate the networks of government and religious organizations in Taiwan. The toolset primarily exploits stolen browser session cookies to access and exfiltrate data from popular cloud services, including Google Drive, Gmail, and Outlook.
ESETβs report states, βCloudScout utilizes stolen cookies, provided by MgBot plugins, to access and exfiltrate data stored at various cloud servicesβ. MgBot, a well-known malware framework associated with Evasive Panda, supplies these session cookies through specific plugins designed to integrate seamlessly with the CloudScout modules. The researchers detected three key CloudScout modulesβCGD, CGM, and COLβeach of which targets a different cloud service.
The modular nature of CloudScout makes it adaptable. Each module is programmed in C# and focuses on specific targets, with some modules potentially in development to extend its reach further. The report notes, βWe analyzed three CloudScout modulesβ¦We believe that at least seven additional modules exist,β implying that this toolset may have broader capabilities.
CloudScoutβs stealth lies in its use of cookie-based authentication, bypassing security measures like two-factor authentication (2FA). Instead, by hijacking authenticated web sessions, CloudScout modules perform actions as if they were legitimate users. This technique is particularly effective for gaining unauthorized access to cloud-stored data, which is then exfiltrated. As ESET describes, βThe stolen cookies allow the attacker to retrieve data stored in the cloud, right from the victimβs machine.β
As ESET continues to monitor and study Evasive Pandaβs latest capabilities, it underscores the importance of emerging defenses like Googleβs Device Bound Session Credentials and Chromeβs App-Bound Encryption, which aim to combat cookie-based intrusions.
Related Posts:
- PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
- China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign
- Stealthy New Golang Trojan Exploits Fake Certificates for Evasive Communication
- Google Keeps Third-Party Cookies, Enhances User Control in Chrome
- W3C Slams Google’s Cookie Reversal: Privacy at Risk?
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
