CeranaKeeper: A New China-Aligned Threat Targeting Thailand’s Government
ESET researchers have exposed a newly identified advanced persistent threat (APT) group, dubbed CeranaKeeper, targeting governmental institutions in Thailand since 2023. Originally, some of this activity was attributed to the infamous China-aligned group Mustang Panda, but ESET’s analysis reveals that CeranaKeeper operates independently, with its own unique tactics, tools, and objectives.
Named after the Asian honeybee Apis cerana and inspired by code references found in their tools, CeranaKeeper has been active since early 2022. The group focuses on breaching and exploiting governmental networks in Asian countries like Thailand, Myanmar, Japan, and the Philippines. Their attacks align with China’s interests, demonstrating a relentless pursuit of sensitive governmental data.
What sets CeranaKeeper apart from other APTs, including Mustang Panda, is the group’s creativity in weaponizing cloud services such as Dropbox, OneDrive, and GitHub to execute commands on compromised systems and exfiltrate large volumes of data. This creative use of common services makes their activities harder to detect and block.
In mid-2023, ESET researchers observed CeranaKeeper targeting a Thai governmental institution. Once they gained a foothold in the network, the group used brute-force techniques to breach domain controllers and deploy their customized backdoor, TONESHELL. From there, CeranaKeeper turned compromised machines into update servers, spreading malware across the network while avoiding detection.
CeranaKeeper deployed a variety of tools designed for mass data exfiltration. These tools, specifically tailored to the attack, helped the group extract sensitive documents by leveraging services like Dropbox and OneDrive to upload stolen data.
BingoShell backdoor mimics Microsoft Office application | Image: ESET
CeranaKeeper’s toolkit is as diverse as it is innovative. Some of the group’s notable tools include:
- WavyExfiller: A Python-based uploader bundled using PyInstaller. It utilizes Dropbox or PixelDrain to upload compressed, password-protected archives of documents stolen from compromised machines.
- DropboxFlop: A Python backdoor that uses Dropbox as its command and control (C&C) server. It retrieves encrypted Dropbox tokens to execute commands on the compromised systems and upload results.
- OneDoor: A C++ backdoor that mimics Microsoft’s legitimate OneDrive executable. It uses OneDrive’s API to receive commands and exfiltrate files from infected machines.
- BingoShell: A sophisticated backdoor using GitHub’s pull request feature as a covert command and control mechanism. The attackers create new GitHub branches and use comments on pull requests to issue commands to compromised systems, leaving minimal traces by cleaning up the repository afterward.
CeranaKeeper is known for its persistence in data theft, targeting key government files and sensitive information. The group’s operations reflect a clear goal: extract as much data as possible while staying under the radar. Their use of public cloud services helps disguise their traffic as legitimate, making it harder for defenders to identify and block their operations.
While some of CeranaKeeper’s tactics initially resembled those of Mustang Panda (aka Earth Preta), ESET’s research concludes that these are two distinct groups. Both may share tools and techniques—perhaps through common suppliers—but they operate with different methods, infrastructure, and objectives. CeranaKeeper has carved out its own niche, standing apart due to its innovative use of cloud services and unique backdoors.
For a deeper dive into CeranaKeeper’s toolset and tactics, ESET’s full white paper provides detailed technical analysis, shedding more light on the group’s advanced operations.
