CloudScout, a toolset leveraging stolen cookies from MgBot plugins, was used in Taiwan between 2022 and 2023 to access and exfiltrate data from Google Drive, Gmail, Outlook, and potentially seven other cloud services, targeting both religious institutions and government entities.
Its modules written in C# are deployed by MgBot plugins written in C++, which are specifically designed to target Taiwanese users and exploit hardcoded fields in web requests to steal Outlook email messages.
It is a malicious tool likely targeting Taiwanese entities and was observed in two incidents: a religious institution breach in May 2022 and a suspected government entity compromise in February 2023.
A .NET malware framework comprises various modules targeting specific cloud services like Google Drive, Gmail, and Outlook. Other modules, including CTW, CFB, GMQ, MEXC, CEXC, CZI, and CNE, likely target other platforms like Twitter and Facebook, but their exact functions remain unclear.
The toolset was likely developed around 2020, with subsequent updates and version changes evident in the AssemblyCopyright field and AssemblyVersion of its components, including CGD, CGM, and COL, as well as the embedded CommonUtilities library.
Gmck.dll, a C++ plugin deployed by MgBot, was used to install CGM, a .NET module, which, along with CGD and COL, was dropped to disk and executed via CLR to access the victim’s Gmail account and steal sensitive information.
It is unable to decrypt cookies from Chrome and Edge due to App-Bound Encryption and requires browser cookies from other supported browsers in an RC4-encrypted .dat file to provide to CGM for successful deployment.
The MgBot plugin extracts browser cookies and creates a JSON configuration file, where cloudScout monitors for these files and spawns threads to process them.
Each thread parses the configuration, downloads targeted data, and then deletes the file, which includes cookies and settings for data collection, staging, and program termination.
CommonUtilities, a core CloudScout component, provides custom libraries like HTTPAccess and ManagedCookie, which handle HTTP communication and can modify headers using ManagedCookie for versatile cookie management.
CloudScout modules share a uniform architecture, with a core Cloud namespace handling common functions. Module-specific differences primarily lie in authentication and data retrieval, tailored to interact with specific cloud services.
It exploits short-lived authentication cookies (OSID, HSID, etc.) on popular services (Google Drive, Gmail, Outlook) to access user data. Even when the main cookie expires, CloudScout uses additional cookies (RPSSecAuth, ClientId) to re-authenticate and maintain access.
The modules extract data from compromised cloud accounts using web requests and HTML parsing by target-specific data like emails, files, and directory listings from services like Gmail, Outlook, and Google Drive.
According to ESET researchers, in preparation for subsequent exfiltration, the data that has been extracted is first encrypted, then compressed, and finally labeled with custom headers.
Evasive Panda leverages CloudScout, a .NET toolset integrated with MgBot, to exfiltrate data from cloud services. By employing the pass-the-cookie technique, it hijacks authenticated web browser sessions to gain unauthorized access to sensitive information.
