- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
CeranaKeeper Emerges as New Threat to Thai Government Networks
A newly identified China-aligned threat group named CeranaKeeper has been found targeting governmental institutions in Thailand.
This group, discovered by ESET researchers and active since early 2022, leverages an evolving toolset to exfiltrate sensitive data by abusing legitimate cloud services such as Dropbox, OneDrive and GitHub.
While some of CeranaKeeper’s tools were previously attributed to the Mustang Panda group, ESET’s new analysis revealed technical differences, suggesting these are distinct entities.
“However, both China-aligned groups could be sharing information and a subset of tools in a common interest or through the same third party,” the company added.
Innovative Techniques For Data Exfiltration
CeranaKeeper stands out for its innovative use of popular services for data theft. The group has developed and deployed custom backdoors and data exfiltration tools, including Python and C++-based malware.
Notable components include WavyExfiller, a Python-based tool that uploads sensitive documents to Dropbox, and OneDoor, a C++ malware that abuses OneDrive to both receive commands and extract files. Another tool, BingoShell, uses GitHub’s pull request feature to create a stealthy command-and-control (C2) channel.
Key findings from ESET’s report include:
-
CeranaKeeper’s persistent updating of its backdoors to evade detection
-
Use of legitimate cloud services for mass data exfiltration
-
Deployment of a wide variety of custom malware across compromised machines
These tools enable CeranaKeeper to harvest large amounts of data while staying under the radar. The group’s operations target not only government entities in Thailand but also other countries in Asia, including Myanmar, Japan and Taiwan.
“This group’s goal is to harvest as many files as possible, and it develops specific components to that end,” ESET wrote.
Read more on cybercrime in Southeast Asia: Novel Banking Malware Targets Customers in Southeast Asia
Additionally, the researchers believe CeranaKeeper’s reliance on cloud services makes its operations challenging to detect.
“[The group] uses cloud and file-sharing services for exfiltration and probably relies on the fact that traffic to these popular services would mostly seem legitimate and be harder to block when it is identified,” ESET said.
“The targeted campaign we investigated gave us insights into CeranaKeeper’s operations, and future campaigns will likely reveal more as the group’s quest for sensitive data continues.”