Introduction
Evasive Panda [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13], also known as Bronze Highland [1] [7], Daggerfly [1] [3] [7], and StormBamboo [1] [3] [7], is a China-aligned advanced persistent threat (APT) group that has been active since at least 2012. The group targets organizations and countries opposing China’s interests [6], focusing on pro-democracy and independence movements [11], religious and academic institutions [5] [6], and extending its cyberespionage efforts to various countries [6]. This document provides a detailed description of Evasive Panda [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]’s activities and concludes with an analysis of the impacts, mitigations, and future implications of their operations.
Description
Evasive Panda, a China-aligned advanced persistent threat (APT) group also known as Bronze Highland, Daggerfly [1] [3] [7], and StormBamboo [1] [3] [7], has been active since at least 2012 [6], targeting organizations and countries that oppose China’s interests [6]. This includes a focus on pro-democracy and independence movements in Taiwan and Hong Kong, as well as religious and academic institutions [5] [6], including those within the Tibetan diaspora. The group has extended its cyberespionage efforts to countries like Vietnam [6], Myanmar [6], and South Korea [6], employing advanced tactics such as supply-chain attacks and DNS poisoning [6].
Between May 2022 and February 2023 [1] [7], Evasive Panda specifically targeted Taiwanese government agencies and religious organizations using a sophisticated post-compromise toolkit named CloudScout. This toolset is designed to retrieve data from various cloud services by exploiting stolen web session cookies [10], allowing unauthorized access to sensitive information [9]. CloudScout operates in conjunction with the MgBot malware framework [3] [10] [11], which facilitates the interception of session connections and cookies through a plugin system. By leveraging stolen web session cookies [3] [7] [10], the malware can circumvent security measures like two-factor authentication, making these attacks more challenging to block compared to those relying on stolen credentials.
CloudScout consists of at least ten identified modules [2], three of which—CGD [7], CGM [2] [3] [8] [11] [13], and COL—are specifically designed for accessing Google Drive, intercepting Gmail data [11], and extracting Outlook emails [11], respectively [2] [13]. These modules are deployed via MgBot plugins and primarily function to hijack authenticated web sessions, granting access to public cloud services [3] [6] [13]. The information gathered [7], including email messages and specific file types [7], is compressed into ZIP archives for exfiltration via MgBot or Nightdoor [7]. While researchers have identified three active modules [13], there are indications of seven additional modules supported by the framework that have not yet been deployed, suggesting that the attackers selectively install modules based on specific operational needs [13]. Among these [13], the CTW and CFB modules are likely intended for hijacking accounts on social media platforms like X (formerly Twitter) and Facebook.
Central to CloudScout is the CommonUtilities package [1], which provides essential low-level libraries for handling HTTP communications and managing cookies. The malware independently monitors directories for new configuration files [2], initiating data extraction cycles [2], and performs a cleanup of all artifacts generated during the process to erase evidence of its activity. The presence of hardcoded HTTP requests indicating Taipei Standard Time and the zh-CN language pack suggests a focus on Taiwanese users [3].
Evasive Panda employs multiple initial access methods [1], including exploiting newly discovered security vulnerabilities and compromising supply chains [1] [7]. The group’s operations reflect a sophisticated understanding of the technical landscape [6], emphasizing the significance of cloud-stored documents [6] [12], user profiles [6] [12], and email in their espionage activities [6] [12]. However, new security mechanisms introduced by Google [7], such as Device Bound Session Credentials (DBSC) and App-Bound Encryption [7], may render cookie-theft malware like CloudScout obsolete [7], highlighting the ongoing arms race in cybersecurity.
Conclusion
Evasive Panda’s operations underscore the persistent threat posed by state-aligned cyberespionage groups. Their sophisticated tactics, particularly the use of tools like CloudScout, highlight the vulnerabilities in current cybersecurity frameworks. However, advancements in security measures, such as Google’s Device Bound Session Credentials and App-Bound Encryption [7], offer promising mitigations against such threats. As cybersecurity continues to evolve, it is crucial for organizations to stay informed and adapt to emerging threats to safeguard sensitive information and maintain operational integrity.
References
[1] https://www.isss.org.uk/news/chinese-hackers-use-cloudscout-toolset-to-steal-session-cookies-from-cloud-services/
[2] https://www.infosecurity-magazine.com/news/evasive-panda-cloudscout-taiwan/
[3] https://www.welivesecurity.com/en/eset-research/cloudscout-evasive-panda-scouting-cloud-services/
[4] https://www.emerce.nl/wire/eset-ontdekt-cloudscout-chinese-evasive-panda-richt-zich-taiwan-gegevens-die-opgeslagen-cloud
[5] https://thecyberwire.com/newsletters/daily-briefing/13/205
[6] https://www.eset.com/int/about/newsroom/press-releases/research/eset-discovers-cloudscout-china-aligned-evasive-panda-targets-taiwan-and-data-stored-in-the-cloud/
[7] https://thehackernews.com/2024/10/chinese-hackers-use-cloudscout-toolset.html
[8] https://thenimblenerd.com/article/cloudscout-evasive-pandas-sneaky-cyber-espionage-on-taiwanese-clouds-unveiled/
[9] https://cyberpress.org/evasive-pandas-new-toolkit-targets-cloud-services/
[10] https://blog.netmanageit.com/evasive-panda-scouting-cloud-services/
[11] https://news.cloudsek.com/2024/10/evasive-panda-deploys-advanced-cloudscout-malware-to-steal-data-from-taiwanese-institutions/
[12] https://www.darkreading.com/cloud-security/china-evasive-panda-apt-cloud-hijacking
[13] https://www.ithome.com.tw/news/165749