Hackers often target cloud services due to their vast attack surface and the widespread presence of vulnerabilities.
Not only that, but even the increasing dependence on cloud infrastructure across various industries boosts the possible impact of successful attacks.
Cybersecurity researchers at ESET recently discovered that Evasive Panda has been actively attacking Cloud services to steal data using the new toolkit.
Evasive Panda (aka “BRONZE HIGHLAND,” “Daggerfly,” “StormBamboo”) is a sophisticated Chinese APT group that has been conducting cyber espionage operations since 2012. This group primarily targets organizations that resist China’s interests.
Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar
Evasive Panda Attacking Cloud Services
Their operations extend across multiple organizations and countries:-
- Tibetan diaspora
- Taiwanese religious institutions
- Taiwanese academic institutions
- Hong Kong entities
- Pro-democracy advocates in China
The countries are:-
- Vietnam
- Myanmar
- South Korea
The group’s technical arsenal contains advanced attack methodologies like “Supply-chain compromises,” “Watering-hole attacks,” and “DNS hijacking.”
Their malware development capabilities are demonstrated via various tools like:-
- MgBot (a customizable malware framework)
- Nightdoor (an advanced backdoor that uses cloud services for C&C communications)
- CloudScout (a .NET-based framework)
Besides this, “CloudScout” is noteworthy as it contains specialized modules (‘CGD,’ ‘CGM,’ and ‘COL’) that are designed to compromise cloud services (Google Drive, Gmail, and Outlook) by stealing “authenticated web session cookies.” This enables the threat actors to bypass “2FA” and “IP-based” security measures effectively, reads ESET report.
.webp)
While the group also actively exploits CVEs in various web server applications, and popular platforms (“Microsoft Office & Confluence”).
Here they do so by maintaining “cross-platform compatibility” across “Windows,” “macOS,” and “Android.” The core functionality of the CloudScout toolset revolves around the “pass-the-cookie” technique.
.webp)
Using this technique, it maintains unauthorized access by grabbing authentication cookies like “X-OWA-CANARY” (for Outlook Web Access), “RPSSecAuth,” and “ClientId.”
For data collection, the modules employ “hardcoded web requests” and “HTML parsers” to systematically extract various content types like “email headers,” “message bodies,” “attachments,” and “documents” (with the following extensions ‘.doc,’ ‘.docx,’ ‘.xls,’ ‘.xlsx,’ ‘.ppt,’ ‘.pptx,’ ‘.pdf,’ and ‘.txt’).
Each extracted item is processed with a custom metadata header (containing client ID, subject/filename, and username information), then encrypted using “RC4 encryption,” and stored with an arbitrary GUID filename and custom extension.
These items are subsequently compressed into a ZIP archive with a “.hxkz_zip” extension and placed in a designated exfiltration directory specified by the datapath configuration field.
The entire process concludes with a cleanup phase that removes all operational artifacts except the exfiltration files.
After this, the system either terminates or awaits new configuration files based on the “dealone” flag setting. This is done with “MgBot” or “Nightdoor” for final data exfiltration.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!