Cybersecurity firm ESET has identified a new China-aligned threat actor, dubbed “CeranaKeeper,” operating across Southeast Asia, with a primary focus on Thailand.
CeranaKeeper has been carrying out widespread data exfiltration campaigns since early 2022, primarily targeting governmental institutions. The findings mark a significant development in the region’s ongoing cyber threat landscape, particularly given the group’s sophisticated techniques and use of both common and custom tools.
CeranaKeeper vs. Mustang Panda: A New Threat Actor Emerges
Initially, some of CeranaKeeper’s activities were attributed to the China-linked advanced persistent threat (APT) group Mustang Panda. However, ESET researchers have now determined that CeranaKeeper operates independently, deploying a unique arsenal of tools and techniques.
The group’s distinct operational methods, infrastructure, and campaigns, despite similarities to Mustang Panda, justify the classification of CeranaKeeper as a separate entity.
CeranaKeeper, named after the Asian honey bee species Apis cerana, is relentlessly adaptable. Its constant updates to the TONESHELL backdoor—a hallmark of the group—allow it to sneak past security tools while stealing vast amounts of sensitive information.
Exploiting Popular Cloud Services for Command and Control
One of the remarkable elements of CeranaKeeper’s operations is its abuse of legitimate cloud and file-sharing services like Dropbox, OneDrive, Pastebin, and GitHub. The group cunningly disguises its operations by leveraging these platforms for both command-and-control (C&C) communication and data exfiltration, exploiting the difficulty in blocking traffic to these well-known services.
CeranaKeeper’s toolset is made up of custom backdoors and reverse shells, much like those enabled by GitHub’s pull request and issue comment features, turning GitHub into a stealthy C&C server. By using these platforms, CeranaKeeper obfuscates its malicious traffic, adding a layer of complexity to its operations.
A Persistent Threat to Southeast Asia
Since early last year, CeranaKeeper has aggressively targeted public sector entities in Thailand, using sophisticated means to gain a foothold on networks. After it achieves initial access, the group carries out brute-force attacks on domain controllers, uses credential-dumping tools, and even disables security products using a legitimate Avast driver.
Once inside, the malefactors move laterally across networks, using compromised systems as update servers for their backdoor tools. The group’s endgame is predictable: exfiltrating as much data as possible, using previously unseen custom tools to harvest whole file trees from compromised systems.
Looking Ahead: A Growing Threat
CeranaKeeper’s focus on governmental targets in Thailand, along with operations in Myanmar, the Philippines, Japan, and Taiwan, suggests a continued alignment with Chinese interests in the region. ESET’s findings shine a light on a highly adaptable and persistent group that can rapidly pivot and modify its tools to evade the security nets.
ESET researchers shared their findings at the Virus Bulletin conference on 2 October 2024 and released a detailed white paper on CeranaKeeper’s tactics, techniques, and procedures (TTPs).
While more revelations about this group are expected in the future, CeranaKeeper’s ability to innovate and evade detection remains a significant threat to Southeast Asia’s cybersecurity landscape.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
