Emerging Threat Actor CeranaKeeper Targets Southeast Asia in Data Exfiltration Campaigns
A novel cyber threat actor, dubbed CeranaKeeper, has been implicated in a series of data exfiltration attacks focused on Southeast Asian nations, according to Slovak cybersecurity firm ESET. The firm reported that campaigns aimed at governmental organizations in Thailand began in 2023 and have exhibited indicators of association with China, employing techniques previously observed from the Mustang Panda group.
Romain Dumont, a researcher at ESET, highlighted that CeranaKeeper continuously refines its backdoor methods to avoid detection and enhances its operational strategies to facilitate extensive data theft. The group leverages well-known cloud and file-sharing platforms like Dropbox and OneDrive to deploy customized backdoors and data extraction tools, illustrating a sophisticated approach to cloud exploitation.
Aside from Thailand, additional targets reportedly include Myanmar, the Philippines, Japan, and Taiwan. Each of these countries has been under threat from Chinese state-sponsored actors in the recent past, suggesting a pattern of regional focus by CeranaKeeper. ESET characterizes this actor as relentless and innovative, employing aggressive tactics to navigate compromised networks and maximize information retrieval through various backdoors.
While the initial access methods of the threat actor remain unspecified, it is evident that once footholds are established, CeranaKeeper gains access to other machines within local networks. This accessibility allows them to repurpose some of the compromised systems as proxies or update servers for their backdoors. The firm has identified the utilization of malware families such as TONESHELL, TONEINS, and PUBLOAD, all attributed to the Mustang Panda actor, alongside an array of previously unknown tools designed for data exfiltration.
Dumont detailed an incident in which attackers installed the TONESHELL backdoor after obtaining privileged access. They deployed tools to capture credentials and leveraged a legitimate Avast driver to disable security protocols on targeted machines. Once compromised, these servers were utilized to disseminate their backdoor to other systems within the network, effectively transforming them into update servers for continued operations.
CeranaKeeper’s toolkit includes advanced solutions such as WavyExfiller, which captures data from connected devices, and DropboxFlop, a sophisticated reverse shell utilizing Dropbox for command-and-control operations. Another notable tool, OneDoor, exploits the Microsoft OneDrive REST API for command reception and file exfiltration. The group also employs BingoShell, which ingeniously leverages GitHub’s pull request feature as a covert communication channel.
ESET’s analysis suggests that CeranaKeeper’s adaptability and the rapid development of this toolset are fundamental to its strategy for evading detection. The group aims to create customized malware capable of collecting high-value data at scale, demonstrating a clear intent on exploiting technological infrastructures across multiple sectors.
While operating independently, CeranaKeeper and Mustang Panda may share resources or intelligence, a strategy not uncommon among state-affiliated groups in China. The unique techniques observed in this attack vector align with numerous tactics outlined in the MITRE ATT&CK framework, including initial access through external remote services, privilege escalation, and lateral movement within victim networks, enhancing the sophistication of these cyber threats.
The appearance of CeranaKeeper underscores the dynamic threat landscape in Southeast Asia, necessitating vigilant cybersecurity measures for organizations operating within or interacting with the region. Understanding the tactics employed by such threat actors is critical for businesses seeking to fortify their defenses against potential data breaches and cyber incidents.
