October 2, 2024 at 12:15PM
CeranaKeeper, a new threat actor, has been conducting data exfiltration attacks in Southeast Asia, targeting countries like Thailand, Myanmar, the Philippines, Japan, and Taiwan. Utilizing backdoors through legitimate cloud and file-sharing services, the group demonstrates a relentless and creative approach, with an extensive custom toolset for massive data siphoning. ESET attributes the activity to China’s Mustang Panda group.
From the meeting notes provided, it is clear that a new threat actor named CeranaKeeper has been identified, with activities targeting Southeast Asia, including countries such as Thailand, Myanmar, the Philippines, Japan, and Taiwan. The group has been noted for using various cloud and file-sharing services, such as Dropbox and OneDrive, to implement custom backdoors and extraction tools, enabling massive data exfiltration.
CeranaKeeper has been described as relentless, creative, and capable of swiftly adapting its methods, making extensive use of wildcard expressions for massive data siphoning. The attacks also involve the use of various malware families, such as TONESHELL, TONEINS, and PUBLOAD, along with a newly discovered custom toolset including WavyExfiller, DropboxFlop, and BingoShell.
The threat actor is characterized by its ability to quickly write and rewrite its toolset to evade detection, with an end goal of developing bespoke malware for large-scale data collection.
It is further noted that there are potential links to and distinctions from the Mustang Panda group, and the possibility of reliance on the same third party or information sharing among China-aligned groups.
The meeting notes provide a comprehensive overview of CeranaKeeper’s capabilities and methods, shedding light on the evolving landscape of cyber threats in the region and the group’s aggressive data exfiltration tactics.
If you have any further questions or need additional information, feel free to ask!