In a series of ongoing cyber-attacks targeting governmental institutions in Thailand since 2023, ESET researchers have identified a new threat actor known as CeranaKeeper. This group has been using revamped versions of components previously associated with the China-aligned advanced persistent threat (APT) group Mustang Panda. Additionally, CeranaKeeper has developed a new set of tools that exploit popular cloud and file-sharing services like Pastebin, Dropbox, OneDrive, and GitHub to execute commands on compromised computers and steal sensitive documents.
The distinctiveness of CeranaKeeper lies in its continuous evolution of backdoors to avoid detection and its diversified methods to aid massive data exfiltration from compromised networks. Utilizing various tools and techniques, CeranaKeeper has been actively targeting governmental entities not only in Thailand but also in other Asian countries such as Myanmar, the Philippines, Japan, and Taiwan, signifying alignment with China’s interests.
The group’s relentless pursuit of valuable data is evident through its deployment of a wide range of tools designed to extract as much information as possible from compromised networks. One of the innovative techniques observed in the group’s operations is the use of GitHub’s pull request and issue comment features to create a stealthy reverse shell, effectively turning GitHub into a command and control (C&C) server.
CeranaKeeper’s toolset includes components such as TONEINS, TONESHELL, PUBLOAD, WavyExfiller, DropboxFlop, OneDoor, and BingoShell. These tools are utilized for various purposes such as data exfiltration, remote command execution, and file uploading and downloading. WavyExfiller, for example, leverages Dropbox and PixelDrain for uploading encrypted archives of collected documents, while DropboxFlop and OneDoor abuse Dropbox and OneDrive, respectively, for executing commands and exfiltrating files.
Moreover, CeranaKeeper’s use of GitHub as a C&C server through BingoShell demonstrates the group’s sophistication in leveraging legitimate platforms for malicious activities. By creating private repositories, branches, and pull requests on GitHub, the threat actor can remotely control compromised machines, demonstrating a new covert technique that adds a layer of complexity to their operations.
The attribution of these activities to CeranaKeeper instead of Mustang Panda was based on a thorough analysis of the group’s toolset, infrastructure, and operational practices. Despite similarities in tactics, the distinct differences in organizational structure and technical aspects led researchers to classify CeranaKeeper as a separate threat actor.
In conclusion, CeranaKeeper’s relentless pursuit of sensitive data through advanced tools and techniques highlights the evolving landscape of cyber threats targeting governmental institutions. As the group continues to adapt and innovate, it poses a significant challenge to defenders in detecting and mitigating these sophisticated attacks. Further research and analysis are ongoing to uncover more insights into CeranaKeeper’s operations and future campaigns.
For more details on CeranaKeeper’s tools and techniques, the full ESET Research white paper can be accessed here.