Cybersecurity firm ESET has identified a new China-aligned threat actor, dubbed “CeranaKeeper,” operating across Southeast Asia, with a primary focus on Thailand.
CeranaKeeper has been carrying out widespread data exfiltration campaigns since early 2022, primarily targeting governmental institutions. The findings mark a significant development in the region’s ongoing cyber threat landscape, particularly given the group’s sophisticated techniques and use of both common and custom tools.
CeranaKeeper vs. Mustang Panda: A New Threat Actor Emerges
Initially, some of CeranaKeeper’s activities were attributed to the China-linked advanced persistent threat (APT) group Mustang Panda. However, ESET researchers have now determined that CeranaKeeper operates independently, deploying a unique arsenal of tools and techniques.
The group’s distinct operational methods, infrastructure, and campaigns, despite similarities to Mustang Panda, justify the classification of CeranaKeeper as a separate entity.
CeranaKeeper, named after the Asian honey bee species Apis cerana, is relentlessly adaptable. Its constant updates to the TONESHELL backdoor—a hallmark of the group—allow it to sneak past security tools while stealing vast amounts of sensitive information.
Exploiting Popular Cloud Services for Command and Control
One of the remarkable elements of CeranaKeeper’s operations is its abuse of legitimate cloud and file-sharing services like Dropbox, OneDrive, Pastebin, and GitHub. The group cunningly disguises its operations by leveraging these platforms for both command-and-control (C&C) communication and data exfiltration, exploiting the difficulty in blocking traffic to these well-known services.
CeranaKeeper’s toolset is made up of custom backdoors and reverse shells, much like those enabled by GitHub’s pull request and issue comment features, turning GitHub into a stealthy C&C server. By using these platforms, CeranaKeeper obfuscates its malicious traffic, adding a layer of complexity to its operations.
A Persistent Threat to Southeast Asia
Since early last year, CeranaKeeper has aggressively targeted public sector entities in Thailand, using sophisticated means to gain a foothold on networks. After it achieves initial access, the group carries out brute-force attacks on domain controllers, uses credential-dumping tools, and even disables security products using a legitimate Avast driver.
Once inside, the malefactors move laterally across networks, using compromised systems as update servers for their backdoor tools. The group’s endgame is predictable: exfiltrating as much data as possible, using previously unseen custom tools to harvest whole file trees from compromised systems.
Looking Ahead: A Growing Threat
CeranaKeeper’s focus on governmental targets in Thailand, along with operations in Myanmar, the Philippines, Japan, and Taiwan, suggests a continued alignment with Chinese interests in the region. ESET’s findings shine a light on a highly adaptable and persistent group that can rapidly pivot and modify its tools to evade the security nets.
ESET researchers shared their findings at the Virus Bulletin conference on 2 October 2024 and released a detailed white paper on CeranaKeeper’s tactics, techniques, and procedures (TTPs).
While more revelations about this group are expected in the future, CeranaKeeper’s ability to innovate and evade detection remains a significant threat to Southeast Asia’s cybersecurity landscape.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.