Analysis Summary

There has been evidence linking a series of data exfiltration attacks targeting Southeast Asia to a threat actor named CeranaKeeper that was previously unreported.

Using technologies previously identified as being employed by the Mustang Panda actor, the cybersecurity researchers concluded that the activity cluster was tied to China after seeing campaigns that began in 2023 and targeted governmental entities in Thailand. The threat group varies its techniques to facilitate huge data exfiltration and upgrades its backdoor frequently to avoid detection. Using well-known, trustworthy cloud and file-sharing services like Dropbox and OneDrive, CeranaKeeper creates unique backdoors and extraction tools.

The adversary has also targeted Japan, Taiwan, Myanmar, and the Philippines, all of which have recently been the targets of threat groups backed by the Chinese state. CeranaKeeper's ability to move laterally across compromised environments and gather as much information as possible via a variety of backdoors and exfiltration tools led the researchers to characterize it as aggressive and greedy in addition to being relentless, creative, and capable of quickly adapting its modus operandi.

It was evident from their frequent usage of wildcard expressions that their goal was huge data siphoning as they traversed occasionally entire drives. The threat actor's precise initial access points are yet unclear. Nonetheless, an effective first foothold is exploited to obtain access to further local network computers, even converting a few of the compromised systems into proxies or update servers to retain backdoor updates.

The Mustang Panda gang is responsible for malware families like TONESHELL, TONEINS, and PUBLOAD, which are used in these attacks. In addition, a variety of hitherto unheard-of methods are employed to facilitate data exfiltration. Once they had privileged access, the attackers installed the TONESHELL backdoor, utilized a custom program and a legitimate Avast driver to disable security products on the machine, and deployed a tool to dump credentials.

They installed and ran their backdoor on additional network computers using a remote administrative panel that they accessed from this compromised server. CeranaKeeper also turned the hijacked server into an update server by using it to store TONESHELL updates. The following is the recently found custom toolset:

• WavyExfiller is a Python uploader that uses Dropbox and PixelDrain as exfiltration endpoints to gather data from connected devices, including hard disks and USBs.
• DropboxFlop is a Python version of DropFlop, a publicly accessible reverse shell with upload and download capabilities that leverages Dropbox as a command-and-control (C&C) server.
• OneDoor is a backdoor made of C++ that exploits the Microsoft OneDrive REST API to send commands and steal files.
• BingoShell is a Python backdoor that creates a covert reverse shell by abusing GitHub's pull request and commenting functionalities.

BingoShell uses a private GitHub repository as a C&C server from an overview perspective. The script receives commands to run and provides the results by using a hard-coded token for authentication. It also uses the pull requests and issues comments features to receive commands. The threat actor's ultimate objective, according to the researchers, is to create custom malware that will enable it to gather important data on a massive scale, praising CeranaKeeper's capacity to swiftly construct and update its toolset as needed to avoid detection.

CeranaKeeper and Mustang Panda appear to function independently of one another and have separate toolsets. Both threat actors may share some information or depend on the same third party, like a digital quartermaster, which is typical among groups associated with China. This would account for the observed connections.

Impact

• Data Exfiltration
• Sensitive Data Theft
• Unauthorized Access
• Credential Theft

Indicators of Compromise

SHA1

• 8e3b3c600ab812537a84409adfc5169518862fd3
• 322eb20377dbdb4acb3067a4f2aaa47631ca5ed5
• 37db71172ab64c108fedca85e5be51a499b2ba12
• 42a3d252faa7d7457c7f708ec6f44f3c1afd843e

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.