Chinas Evasive Panda APT Debuts High-End Cloud Hijacking

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas Evasive Panda APT Debuts High-End Cloud Hijacking


A professional-grade tool set, appropriately dubbed CloudScout, is infiltrating cloud apps like Microsoft Outlook and Google Drive, targeting sensitive info for exfiltration.



The China-sponsored Evasive Panda hacking crew has debuted CloudScout, a sleek, professional post-compromise toolset that retrieves data from various cloud services by leveraging stolen Web session cookies.
Thats according to researchers at ESET, who uncovered CloudScout while investigating a pair of past breaches in Taiwan (targeting a religious institution and a government entity).
CloudScout is written in .NET, and its designed to work seamlessly with MgBot, Evasive Panda’s proprietary malware framework. Via a plug-in architecture, MgBot feeds CloudScout previously stolen cookies, which it then uses to access and infiltrate data from the cloud, using the pass-the-cookie technique to hijack authenticated sessions from Web browsers.
ESET researchers observed individual CloudScout modules targeting Google Drive, Gmail, and Outlook, but in all, they believe Evasive Panda has developed modules for attacks on least 10 different cloud apps.  
These modules are designed to access public cloud services … by hijacking authenticated Web sessions,
according to ESETs analysis
, released on Oct. 28. This technique relies on stealing cookies from a Web browser database, then using them in a specific set of Web requests to gain access to cloud services, thus avoiding authentication checks like two-factor authentication (2FA) and IP tracking.
After authentication, the CloudScout modules use a set of hardcoded Web requests, as well as complex HTML parsers to identify and extract any data of interest from Web responses, such as email folder listings and email messages. Once the data is collected, its compressed into a .zip archive that can then be exfiltrated by either MgBot or another proprietary backdoor called Nightdoor.
Evasive Panda (aka Bronze Highland, Daggerfly, or StormBamboo) is an advanced persistent threat (APT) thats been operating since at least 2012, focused mainly on cyber espionage against civil society targets.
These include independence movements such as those in the Tibetan diaspora,
religious and academic institutions in Taiwan
and in Hong Kong, and supporters of democracy in China, ESET researchers noted. At times we have also observed its cyberespionage operations extend to countries such as Vietnam, Myanmar, and South Korea. It has also been seen targeting a handful of victims in Nigeria.
The Chinese APT is known for consistently
evolving its cyberattack techniques
, but the latest iteration is notable in its sophistication, the researchers wrote.
According to ESET, The professional design behind the CloudScout framework … demonstrates Evasive Panda’s technical capabilities and the important roles that cloud-stored documents, user profiles, and email play in its espionage operations.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas Evasive Panda APT Debuts High-End Cloud Hijacking