A newly identified China-aligned threat group named CeranaKeeper has been found targeting governmental institutions in Thailand.
This group, discovered by ESET researchers and active since early 2022, leverages an evolving toolset to exfiltrate sensitive data by abusing legitimate cloud services such as Dropbox, OneDrive and GitHub.
While some of CeranaKeeper’s tools were previously attributed to the Mustang Panda group, ESET’s new analysis revealed technical differences, suggesting these are distinct entities.
“However, both China-aligned groups could be sharing information and a subset of tools in a common interest or through the same third party,” the company added.
Innovative Techniques For Data Exfiltration
CeranaKeeper stands out for its innovative use of popular services for data theft. The group has developed and deployed custom backdoors and data exfiltration tools, including Python and C++-based malware.
Notable components include WavyExfiller, a Python-based tool that uploads sensitive documents to Dropbox, and OneDoor, a C++ malware that abuses OneDrive to both receive commands and extract files. Another tool, BingoShell, uses GitHub’s pull request feature to create a stealthy command-and-control (C2) channel.
Key findings from ESET’s report include:
-
CeranaKeeper’s persistent updating of its backdoors to evade detection
-
Use of legitimate cloud services for mass data exfiltration
-
Deployment of a wide variety of custom malware across compromised machines
These tools enable CeranaKeeper to harvest large amounts of data while staying under the radar. The group’s operations target not only government entities in Thailand but also other countries in Asia, including Myanmar, Japan and Taiwan.
“This group’s goal is to harvest as many files as possible, and it develops specific components to that end,” ESET wrote.
Read more on cybercrime in Southeast Asia: Novel Banking Malware Targets Customers in Southeast Asia
Additionally, the researchers believe CeranaKeeper’s reliance on cloud services makes its operations challenging to detect.
“[The group] uses cloud and file-sharing services for exfiltration and probably relies on the fact that traffic to these popular services would mostly seem legitimate and be harder to block when it is identified,” ESET said.
“The targeted campaign we investigated gave us insights into CeranaKeeper’s operations, and future campaigns will likely reveal more as the group’s quest for sensitive data continues.”