A beforehand undocumented menace actor known as CeranaKeeper has been linked to a string of knowledge exfiltration assaults focusing on Southeast Asia.
Slovak cybersecurity agency ESET, which noticed campaigns focusing on governmental establishments in Thailand beginning in 2023, attributed the exercise cluster as aligned to China, leveraging instruments beforehand recognized as utilized by the Mustang Panda actor.
“The group constantly updates its backdoor to evade detection and diversifies its methods to aid massive data exfiltration,” safety researcher Romain Dumont mentioned in an evaluation revealed right now.
“CeranaKeeper abuses popular, legitimate cloud and file-sharing services such as Dropbox and OneDrive to implement custom backdoors and extraction tools.”
Among the different nations focused by the adversary embrace Myanmar, the Philippines, Japan, and Taiwan, all of which have been focused by Chinese language state-sponsored menace actors in recent times.
ESET described CeranaKeeper as relentless, inventive, and able to swiftly adapting its modus operandi, whereas additionally calling it aggressive and grasping for its capacity to maneuver laterally throughout compromised environments and hoover as a lot info as attainable by way of numerous backdoors and exfiltration instruments.
“Their extensive use of wildcard expressions for traversing, sometimes, entire drives clearly showed their aim was massive data siphoning,” the corporate mentioned.
The precise preliminary entry routes employed by the menace actor stay unknown as but. Nevertheless, a profitable preliminary foothold is abused to achieve entry to different machines on the native community, even turning among the compromised machines into proxies or replace servers to retailer updates for his or her backdoor.
The assaults are characterised by means of malware households equivalent to TONESHELL, TONEINS, and PUBLOAD – all attributed to the Mustang Panda group – whereas additionally making use of an arsenal of never-before-seen instruments to assist knowledge exfiltration.
“After gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a tool to dump credentials, and used a legitimate Avast driver and a custom application to disable security products on the machine,” Dumont mentioned.
“From this compromised server, they used a remote administration console to deploy and execute their backdoor on other computers in the network. Additionally, CeranaKeeper used the compromised server to store updates for TONESHELL, turning it into an update server.”
The newly found customized toolset is as follows –
- WavyExfiller – A Python uploader that harvests knowledge, together with linked units like USBs and arduous drives, and makes use of Dropbox and PixelDrain as exfiltration endpoints
- DropboxFlop – A Python DropboxFlop that is a variant of a publicly-available reverse shell known as DropFlop that comes with add and obtain options and makes use of Dropbox as a command-and-control (C&C) server
- BingoShell – A Python backdoor that abuses GitHub’s pull request and points remark options to create a stealthy reverse shell
“From a high-level point of view, [BingoShell] leverages a private GitHub repository as a C&C server,” ESET defined. “The script uses a hard-coded token to authenticate and the pull requests and issues comments features to receive commands to execute and send back the results.”
Calling out CeranaKeeper’s capacity to shortly write and rewrite its toolset as required to evade detection, the corporate mentioned the menace actor’s finish objective is to develop bespoke malware that may enable it to gather invaluable info on a big scale.
“Mustang Panda and CeranaKeeper seem to operate independently of each other, and each has its own toolset,” it mentioned. “Both threat actors may rely on the same third party, such as a digital quartermaster, which is not uncommon among China-aligned groups, or have some level of information sharing, which would explain the links that have been observed.”
