Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Massive Android fraud operations are detected: iconade, kaleidoscope, malicious SMS software, NFC scams

July 3, 2025

Chinese hackers operate Ivanti CSA Zero-Days in attacks on the French government, telecommunications

July 3, 2025

More than 40 malicious Firefox extensions target cryptocurrency wallets, steel assets

July 3, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » China-linked CeranaKeeper targets Southeast Asia with data theft
Global Security

China-linked CeranaKeeper targets Southeast Asia with data theft

AdminBy AdminOctober 2, 2024No Comments3 Mins Read
Data Exfiltration
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


October 2, 2024Ravi LakshmananCyber ​​Espionage / Cloud Security

Data extraction

A previously undocumented threat actor called CeranaKeeper has been linked to a series of data theft attacks targeting Southeast Asia.

Slovakian cybersecurity firm ESET, which monitored campaigns targeting government agencies in Thailand starting in 2023, attributed this cluster of activity as relevant to China, using tools previously identified as being used by Mustang Panda an actor.

“The group is constantly updating its backdoor to avoid detection and diversifying its methods to aid mass data theft,” – Romain Dumont, security researcher. said in an analysis published today.

“CeranaKeeper abuses popular legitimate cloud and file sharing services such as Dropbox and OneDrive to implement special backdoors and extraction tools.”

Cyber ​​security

Some of the other countries targeted by the adversary include Myanmar, the Philippines, Japan, and Taiwan, all of which have been targeted by Chinese state threat actors in recent years.

ESET described CeranaKeeper as relentless, creative and able to quickly adapt its way of working, and aggressive and greedy for its ability to navigate compromised environments and transfer as much information as possible using various backdoors and hijacking tools.

“Their extensive use of wildcards to traverse, sometimes entire drives, made it clear that their goal was massive data mining,” the company said.

The exact initial access routes used by the threat remain unknown. However, the successful initial foothold is abused to gain access to other machines on the local network, even turning some compromised machines into proxies or update servers to store updates for their backdoor.

The attacks are characterized by the use of malware families such as TONESHELL, TONEINS and PUBLOAD – all attributed to yes Mustang Panda group – while using an arsenal of never-before-seen tools to aid in data theft.

“After gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a credential reset tool, and used a legitimate Avast driver and custom application to disable security products on the machine,” Dumont said.

“From this compromised server, they used a remote administration console to deploy and execute their backdoor on other computers on the network. Additionally, CeranaKeeper used a compromised server to store updates for TONESHELL, turning it into an update server.”

The newly found custom toolkit is as follows –

  • WavyExfiller – A Python downloader that collects data, including connected devices such as USB and hard drives, and uses Dropbox and PixelDrain as output endpoints
  • DropboxFlop – Python’s DropboxFlop, which is a variant of the publicly available wrapper called Dropflop which comes with download and upload features and uses Dropbox as a control (C&C) server
  • BingoShell is a Python backdoor that abuses a GitHub request and leaks comment functions to create a hidden shellback
Cyber ​​security

“From a high-level perspective, (BingoShell) uses a private GitHub repository as a C&C server,” ESET explained. “The script uses a hard-coded token for authentication and pull request functions and issue comments to get commands to execute and send results.”

Noting CeranaKeeper’s ability to quickly write and rewrite its toolset to avoid detection, the company said the threat actor’s ultimate goal is to develop custom malware that can allow it to collect valuable information at scale.

“Mustang Panda and CeranaKeeper appear to operate independently of each other and each has its own set of tools,” the report said. “Both threat actors may rely on the same third party, such as a digital mastermind, which is not uncommon among China-linked groups, or have some level of information sharing that would explain the connections observed.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Massive Android fraud operations are detected: iconade, kaleidoscope, malicious SMS software, NFC scams

July 3, 2025

Chinese hackers operate Ivanti CSA Zero-Days in attacks on the French government, telecommunications

July 3, 2025

More than 40 malicious Firefox extensions target cryptocurrency wallets, steel assets

July 3, 2025

CISCO’s critical vulnerability in uniform grants on root access to static credentials

July 3, 2025

North Korean Hackers Target Web3 with malicious NIM software and use Clickfix in Babyshark

July 2, 2025

Hackers using PDFs to get yourself for Microsoft, Docusign and more in phishing campaigns return call

July 2, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Massive Android fraud operations are detected: iconade, kaleidoscope, malicious SMS software, NFC scams

July 3, 2025

Chinese hackers operate Ivanti CSA Zero-Days in attacks on the French government, telecommunications

July 3, 2025

More than 40 malicious Firefox extensions target cryptocurrency wallets, steel assets

July 3, 2025

CISCO’s critical vulnerability in uniform grants on root access to static credentials

July 3, 2025

North Korean Hackers Target Web3 with malicious NIM software and use Clickfix in Babyshark

July 2, 2025

Hackers using PDFs to get yourself for Microsoft, Docusign and more in phishing campaigns return call

July 2, 2025

This network traffic looks legal but it can hide a serious threat

July 2, 2025

US Sanctions of Russia

July 2, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Massive Android fraud operations are detected: iconade, kaleidoscope, malicious SMS software, NFC scams

July 3, 2025

Chinese hackers operate Ivanti CSA Zero-Days in attacks on the French government, telecommunications

July 3, 2025

More than 40 malicious Firefox extensions target cryptocurrency wallets, steel assets

July 3, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.