A previously undocumented threat actor called CeranaKeeper has been linked to a series of data theft attacks targeting Southeast Asia.
Slovakian cybersecurity firm ESET, which monitored campaigns targeting government agencies in Thailand starting in 2023, attributed this cluster of activity as relevant to China, using tools previously identified as being used by Mustang Panda an actor.
“The group is constantly updating its backdoor to avoid detection and diversifying its methods to aid mass data theft,” – Romain Dumont, security researcher. said in an analysis published today.
“CeranaKeeper abuses popular legitimate cloud and file sharing services such as Dropbox and OneDrive to implement special backdoors and extraction tools.”
Some of the other countries targeted by the adversary include Myanmar, the Philippines, Japan, and Taiwan, all of which have been targeted by Chinese state threat actors in recent years.
ESET described CeranaKeeper as relentless, creative and able to quickly adapt its way of working, and aggressive and greedy for its ability to navigate compromised environments and transfer as much information as possible using various backdoors and hijacking tools.
“Their extensive use of wildcards to traverse, sometimes entire drives, made it clear that their goal was massive data mining,” the company said.
The exact initial access routes used by the threat remain unknown. However, the successful initial foothold is abused to gain access to other machines on the local network, even turning some compromised machines into proxies or update servers to store updates for their backdoor.
The attacks are characterized by the use of malware families such as TONESHELL, TONEINS and PUBLOAD – all attributed to yes Mustang Panda group – while using an arsenal of never-before-seen tools to aid in data theft.
“After gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a credential reset tool, and used a legitimate Avast driver and custom application to disable security products on the machine,” Dumont said.
“From this compromised server, they used a remote administration console to deploy and execute their backdoor on other computers on the network. Additionally, CeranaKeeper used a compromised server to store updates for TONESHELL, turning it into an update server.”
The newly found custom toolkit is as follows –
- WavyExfiller – A Python downloader that collects data, including connected devices such as USB and hard drives, and uses Dropbox and PixelDrain as output endpoints
- DropboxFlop – Python’s DropboxFlop, which is a variant of the publicly available wrapper called Dropflop which comes with download and upload features and uses Dropbox as a control (C&C) server
- BingoShell is a Python backdoor that abuses a GitHub request and leaks comment functions to create a hidden shellback
“From a high-level perspective, (BingoShell) uses a private GitHub repository as a C&C server,” ESET explained. “The script uses a hard-coded token for authentication and pull request functions and issue comments to get commands to execute and send results.”
Noting CeranaKeeper’s ability to quickly write and rewrite its toolset to avoid detection, the company said the threat actor’s ultimate goal is to develop custom malware that can allow it to collect valuable information at scale.
“Mustang Panda and CeranaKeeper appear to operate independently of each other and each has its own set of tools,” the report said. “Both threat actors may rely on the same third party, such as a digital mastermind, which is not uncommon among China-linked groups, or have some level of information sharing that would explain the connections observed.”
