Cyber Defense Advisors

China-Linked CeranaKeeper Targeting Southeast Asia with Data Exfiltration

A previously undocumented threat actor called CeranaKeeper has been linked to a string of data exfiltration attacks targeting Southeast Asia.

Slovak cybersecurity firm ESET, which observed campaigns targeting governmental institutions in Thailand starting in 2023, attributed the activity cluster as aligned to China, leveraging tools previously identified as used by the Mustang Panda actor.

“The group constantly updates its backdoor to evade detection and diversifies its methods to aid massive data exfiltration,” security researcher Romain Dumont said in an analysis published today.

“CeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and OneDrive to implement custom backdoors and extraction tools.”

Some of the other countries targeted by the adversary include Myanmar, the Philippines, Japan, and Taiwan, all of which have been targeted by Chinese state-sponsored threat actors in recent years.

ESET described CeranaKeeper as relentless, creative, and capable of swiftly adapting its modus operandi, while also calling it aggressive and greedy for its ability to move laterally across compromised environments and hoover as much information as possible via various backdoors and exfiltration tools.

“Their extensive use of wildcard expressions for traversing, sometimes, entire drives clearly showed their aim was massive data siphoning,” the company said.

The exact initial access routes employed by the threat actor remain unknown as yet. However, a successful initial foothold is abused to gain access to other machines on the local network, even turning some of the compromised machines into proxies or update servers to store updates for their backdoor.

The attacks are characterized by the use of malware families such as TONESHELL, TONEINS, and PUBLOAD – all attributed to the Mustang Panda group – while also making use of an arsenal of never-before-seen tools to aid data exfiltration.

“After gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a tool to dump credentials, and used a legitimate Avast driver and a custom application to disable security products on the machine,” Dumont said.

“From this compromised server, they used a remote administration console to deploy and execute their backdoor on other computers in the network. Additionally, CeranaKeeper used the compromised server to store updates for TONESHELL, turning it into an update server.”

The newly discovered custom toolset is as follows –

WavyExfiller – A Python uploader that harvests data, including connected devices like USBs and hard drives, and uses Dropbox and PixelDrain as exfiltration endpoints
DropboxFlop – A Python DropboxFlop that’s a variant of a publicly-available reverse shell called DropFlop that comes with upload and download features and uses Dropbox as a command-and-control (C&C) server
OneDoor – A C++ backdoor that abuses Microsoft OneDrive REST API to receive commands and exfiltrate files
BingoShell – A Python backdoor that abuses GitHub’s pull request and issues comment features to create a stealthy reverse shell

“From a high-level point of view, [BingoShell] leverages a private GitHub repository as a C&C server,” ESET explained. “The script uses a hard-coded token to authenticate and the pull requests and issues comments features to receive commands to execute and send back the results.”

Calling out CeranaKeeper’s ability to quickly write and rewrite its toolset as required to evade detection, the company said the threat actor’s end goal is to develop bespoke malware that can allow it to collect valuable information on a large scale.

“Mustang Panda and CeranaKeeper seem to operate independently of each other, and each has its own toolset,” it said. “Both threat actors may rely on the same third party, such as a digital quartermaster, which is not uncommon among China-aligned groups, or have some level of information sharing, which would explain the links that have been observed.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.