An undiscovered threat actor known as CeranaKeeper has been associated with a series of information theft assaults focusing on Southeast Asia.
A cybersecurity company from Slovakia, ESET, identified attacks on government organizations in Thailand starting in 2023, attributing the campaign to China, employing tools previously connected to the Mustang Panda group.
“The gang keeps updating its secret access to avoid detection and varies its techniques to support extensive information theft,” detailed security analyst Romain Dumont stated in an analysis released today.
“CeranaKeeper misuses prevailing, lawful cloud and file-sharing platforms like Dropbox and OneDrive to install personalized backdoors and extraction tools.”
Some of the additional countries targeted by the adversary encompass Myanmar, the Philippines, Japan, and Taiwan, all of which have experienced attacks from Chinese state-supported threat actors in recent times.
ESET characterized CeranaKeeper as persistent, imaginative, and capable of rapidly adjusting its approach, also describing it as aggressive and greedy for being able to move laterally through compromised environments and vacuum up as much information as possible using various backdoors and extraction tools.
“Their widespread use of wildcard expressions for traversing, occasionally, complete drives indicated their objective was vast information siphoning,” outlined the corporation.
The precise initial access routes employed by the threat actor remain unidentified at this point. Nonetheless, a successful early hold is exploited to penetrate other machines on the local network, sometimes transforming some of the compromised machines into intermediaries or update servers to stock updates for their backdoor.
The assaults are recognized by the employment of malware variants such as TONESHELL, TONEINS, and PUBLOAD – all linked to the Mustang Panda unit – while also utilizing an array of never-before-seen tools to facilitate data theft.
“After gaining privileged permissions, the intruders installed the TONESHELL backdoor, deployed a tool to extract credentials, and utilized a legitimate Avast driver and a custom application to deactivate security solutions on the system,” Dumont mentioned.
“From this compromised server, they utilized a remote administration console to distribute and execute their backdoor on other computers in the network. Moreover, CeranaKeeper employed the compromised server to retain updates for TONESHELL, changing it into an update server.”
The recently discovered custom toolset includes the following –
- WavyExfiller – A Python uploader that collects data, involving connected devices like USBs and hard drives, and utilizes Dropbox and PixelDrain as exfiltration endpoints
- DropboxFlop – A Python DropboxFlop that’s a variant of a publicly accessible reverse shell known as DropFlop that includes upload and download capabilities and uses Dropbox as a command-and-control (C&C) server
- BingoShell – A Python backdoor that exploits GitHub’s pull request and issues comment features to establish a discreet reverse shell
“From a top-level view, [BingoShell] makes use of a private GitHub repository as a C&C server,” clarified ESET. “The script employs a hard-coded token for authentication and the pull requests and issues comments features to accept commands for execution and relay back the outcomes.”
Criticizing CeranaKeeper’s capability to swiftly craft and redesign its toolset as necessary to avoid detection, the company indicated that the goal of the threat actor is to create tailor-made malware allowing it to harvest valuable information on a substantial scale.
“Mustang Panda and CeranaKeeper appear to function autonomously from one another, each possessing its distinct toolset,” it expressed. “Both threat actors might depend on the same third party, such as a digital quartermaster, which is not rare among China-aligned groups, or engage in some level of information exchange, clarifying the connections that have been witnessed.”
About Author
