CeranaKeeper making a beeline for Thailand

ESET researchers have identified a new advanced persistent threat (APT) group, termed CeranaKeeper, which is suspected of targeting governmental institutions in Thailand since 2023. This group is believed to be aligned with Chinese interests and specifically builds upon and revamps tools and techniques previously associated with Mustang Panda, another known China-aligned threat actor. CeranaKeeper employs sophisticated strategies involving popular cloud and file-sharing services—such as Dropbox, OneDrive, and GitHub—to execute commands on compromised machines and exfiltrate sensitive data, often updating its backdoor technologies to evade detection.

The research suggests that CeranaKeeper has been operational at least since early 2022 and has extended its attacks beyond Thailand to other Asian nations, including Myanmar, the Philippines, Japan, and Taiwan. The group employs a range of custom tools aimed at extensively harvesting data from infected networks. For instance, during a compromised operation described by ESET, the attackers not only transformed infected systems into servers for updates but also innovated by creating a stealthy reverse shell via GitHub’s pull request and issue comment features. This adaptation allows for covert communication even within the boundaries of a commonly used development platform.

CeranaKeeper’s operations, outlined in detail in ESET’s APT Activity Report for Q4 2023–Q1 2024, emphasize the group’s continual development of unique tools, some of which track resources like the bespoke stagers, commonly referred to as TONESHELL. Notable differences between CeranaKeeper and Mustang Panda include their distinct operational practices, campaigns, and specific toolkits, although both groups share potential informational overlaps or tool dependencies.

The techniques employed by CeranaKeeper are problematic, as they have shown capability in targeting and gaining control over systems rapidly. Following a successful compromise in a Thai governmental network, the group executed credential dumping and employed various security evasion techniques—like disabling antivirus programs—to expand their control over the network. Their method of lateral movement allowed them to deploy malicious backdoors on other machines within the same local network, with the goal of large-scale data theft.

CeranaKeeper’s custom tools exhibit significant adaptability in their attack methods. For instance, several components were developed to facilitate large data transfers to public file storage. The WavyExfiller, discovered in mid-2023, exemplifies this by utilizing Dropbox for uploading files. It implements an encrypted Dropbox token retrieved from a Pastebin page, archives documents, and uploads them to the cloud. In parallel, a variant named oneDrive.exe surfaced, which uses PixelDrain for similar exfiltration purposes, further showcasing the group’s aggressive data collection tactics.

Another addition to their toolkit is the DropboxFlop backdoor, which enables command execution and file uploads from a compromised machine using a locally created folder interfacing with a remote Dropbox repository. CeranaKeeper also deployed OneDoor, a C++ backdoor mimicking legitimate OneDrive functionality, to receive and execute commands, storing sensitive data on OneDrive before transmitting it to attackers.

Moreover, the BingoShell variant supports remote operations via GitHub, indicating a clever exploitation of the platform to manage compromised machines. By employing GitHub as a command and control (C&C) server, BingoShell cleverly obscures its activity under the guise of software development, further complicating detection efforts.

In conclusion, the emergence of CeranaKeeper as a distinct threat actor underlines a sophisticated and relentless approach to cyber espionage, marked by its use of cloud services for data exfiltration and its advanced obfuscation techniques. As the group continues to evolve its toolsets rapidly, their focus on extensive data harvesting poses significant risks not only to targeted nations but potentially to a wider array of stakeholders. Ongoing research will likely illuminate further aspects of their operations and intentions in the future.