A previously unknown cyber espionage group, CeranaKeeper, has been linked to a series of aggressive data exfiltration attacks across Southeast Asia, with targets primarily focusing on governmental institutions. The Slovak cybersecurity firm ESET disclosed this new threat actor, revealing that it had observed CeranaKeeper’s activities in Thailand starting in 2023.
The group has been associated with China, and its tactics appear similar to those of the well-known Chinese state-sponsored actor Mustang Panda. According to ESET, CeranaKeeper has developed and deployed a variety of sophisticated tools to siphon massive amounts of sensitive data from its victims, all while maintaining a stealthy presence.
Custom Tools and Cloud Exploitation
CeranaKeeper is particularly adept at evading detection, frequently updating its backdoor and deploying customized tools for data extraction. The group leverages popular, legitimate cloud services like Dropbox and OneDrive for this purpose. These services act as platforms for their backdoors and data extraction tools, ensuring that their activities blend in with normal network traffic.
ESET’s Romain Dumont noted the group’s creativity and adaptability:
"CeranaKeeper abuses legitimate services such as Dropbox and OneDrive to implement custom backdoors and extraction tools. Their ability to constantly evolve is key to their success."
In addition to Thailand, CeranaKeeper has targeted several other countries, including Myanmar, the Philippines, Japan, and Taiwan, all regions with a history of being attacked by Chinese state-sponsored actors.
CeranaKeeper’s Arsenal
CeranaKeeper's attacks make use of malware families typically linked to Mustang Panda, such as TONESHELL, TONEINS, and PUBLOAD. However, ESET noted that CeranaKeeper has its own unique set of custom tools to aid in data exfiltration:
- WavyExfiller: A Python-based uploader that collects data from connected devices (like USBs and hard drives) and uses services such as Dropbox and PixelDrain to exfiltrate the information.
- DropboxFlop: A reverse shell based on DropFlop that uses Dropbox as a command-and-control (C&C) server, allowing for file uploads, downloads, and command execution.
- OneDoor: A C++ backdoor that exploits the Microsoft OneDrive REST API to receive commands and exfiltrate files from compromised machines.
- BingoShell: A Python backdoor that takes advantage of GitHub’s pull request and issue comment features to create a stealthy reverse shell, using a private GitHub repository as a C&C server.
According to ESET, BingoShell uses a hard-coded token to authenticate, allowing the attacker to execute commands and send results via the pull requests and comments.
Modus Operandi and Lateral Movement
CeranaKeeper is noted for its ability to rapidly move laterally within compromised environments, often turning victim machines into proxies or update servers for their backdoor tools. Once the attackers gain initial access, they install the TONESHELL backdoor, dump credentials, and disable security products on the machine using a legitimate Avast driver and a custom application.
From there, they use a remote administration console to spread their backdoor to other computers within the network. They further use the compromised machines to store updates for their TONESHELL backdoor, turning them into update servers.
China's Cyber Espionage Strategy
Though CeranaKeeper and Mustang Panda seem to operate independently, they share some common tools and tactics, suggesting they may rely on a third-party "digital quartermaster" or engage in some level of information sharing. This type of cooperation is not uncommon among China-aligned threat actors, which frequently share resources and knowledge.
CeranaKeeper's relentlessness, adaptability, and focus on massive data exfiltration mark it as a potent and evolving threat to Southeast Asian nations and possibly beyond. As the group continues to update its malware and exploit legitimate services, it poses an ongoing risk to its targets.
The emergence of CeranaKeeper highlights the persistence and evolving capabilities of China-aligned cyber espionage groups. With their custom malware toolset and ability to exploit legitimate cloud services for nefarious purposes, CeranaKeeper represents a significant threat to governments and organizations in the region. Continued vigilance and international cooperation are essential in identifying and countering these sophisticated cyber threats.
