HQ/EMEAFind out how we can help your business
A newly identified threat actor, CeranaKeeper, has been linked to a series of data exfiltration attacks targeting Southeast Asia. According to cybersecurity researchers, these attacks began in 2023, with a focus on governmental institutions in Thailand. The threat group has been associated with China-based cyber actors, sharing similarities with the well-known Mustang Panda group.
The attacks have not been limited to Thailand, with other countries such as Myanmar, the Philippines, Japan, and Taiwan also falling victim. CeranaKeeper stands out for its ability to constantly update its methods and tools, making it difficult for defenders to detect. The group uses widely available cloud and file-sharing platforms like Dropbox and OneDrive to operate custom backdoors and extract large amounts of sensitive data.
This research highlights that CeranaKeeper is aggressive and relentless in its approach, often moving laterally across compromised networks to gather as much information as possible.
The group employs wildcard expressions to traverse entire drives, demonstrating their intent to exfiltrate data on a large scale. Once inside a network, CeranaKeeper leverages its access to turn compromised machines into proxies or update servers for deploying backdoors.
One of the notable characteristics of this campaign is the use of multiple malware families, including TONESHELL, TONEINS, and PUBLOAD, which have ties to Mustang Panda. However, CeranaKeeper has developed its unique arsenal of tools to aid in its attacks. Some of these include WavyExfiller, a Python-based uploader that uses Dropbox and PixelDrain as exfiltration endpoints; DropboxFlop, a reverse shell that uses Dropbox for command-and-control operations; OneDoor, a backdoor that exploits the OneDrive REST API to receive commands and exfiltrate files; and BingoShell, a backdoor that uses GitHub’s pull request and issues features to establish a stealthy reverse shell.
While the initial access routes used by CeranaKeeper remain unclear, the group’s use of malware tools and ability to disable security products on compromised machines suggest a high level of sophistication. CeranaKeeper’s focus on creating and modifying its toolset to evade detection makes it a highly adaptable and persistent threat.
Although CeranaKeeper and Mustang Panda function independently, this investigation shows that they have certain shared goals. Complicating efforts to reduce their operations is the possibility that they share some information or rely on a shared third party for tools.
