Southeast Asia Under Cyber Siege: CeranaKeeper Steals Government Data

A new hacker group, CeranaKeeper, with ties to China and focused on data theft in Southeast Asia, has been discovered by researchers at ESET. The group’s first known activity dates back to 2023, targeting government institutions in Thailand. CeranaKeeper’s operations have also been observed in other countries across the region, including Myanmar, the Philippines, Japan, and Taiwan.

The group employs a variety of methods and tools to gather data, including the abuse of legitimate cloud storage and file-sharing services such as Dropbox and OneDrive. According to ESET security researcher Romain Dumont, the group continuously updates its toolkit to evade security systems and facilitate large-scale data collection.

CeranaKeeper’s attacks involve the use of backdoors and exfiltration tools, allowing swift access to various systems and the extraction of significant amounts of information. Experts suggest that the group’s aggressive tactics are evident in its ability to spread quickly across infected systems and swiftly adapt its techniques.

Although the group’s initial methods of gaining access to systems remain unknown, attackers use their acquired foothold to infiltrate other machines within the local network. Some of the compromised computers are transformed into proxy servers or update servers for the backdoors.

CeranaKeeper employs malicious programs such as TONESHELL, TONEINS, and PUBLOAD, which have also been linked to the hacking group Mustang Panda. In addition, CeranaKeeper utilizes several new tools for data collection:

• WavyExfiller: A Python tool for uploading data, including connected devices such as USB drives and hard disks, with exfiltration through Dropbox and PixelDrain.
• DropboxFlop: A Python script, a modification of the reverse shell DropFlop, which uses Dropbox as a command-and-control server.
• OneDoor: A C++ backdoor that leverages the Microsoft OneDrive API to execute commands and exfiltrate files.
• BingoShell: A Python backdoor that uses a private GitHub repository to create a covert reverse shell.

ESET also highlights that the CeranaKeeper group can quickly rewrite and adapt its tools to bypass security systems. The primary goal of these cybercriminals is to develop unique malware for the large-scale collection of confidential information.

According to ESET’s analysis, while CeranaKeeper and Mustang Panda may operate independently, they likely share some level of information exchange or rely on common third-party resources, a trait often seen among China-linked cyber groups.