Full Report
ESET Research details the tools and activities of a new China-aligned threat actor, CeranaKeeper, focusing on massive data exfiltration in Southeast Asia
Analysis Summary
# Threat Actor: CeranaKeeper
## Attribution & Identity
* **Identification:** A newly tracked, China-aligned advanced persistent threat (APT) actor identified by ESET researchers.
* **Attribution Context:** Some of its toolsets and activities were previously attributed to **Mustang Panda** (also known as Earth Preta or Stately Taurus) by other security vendors (Talos, Trend Micro, Palo Alto Networks Unit 42). ESET analysts separated this cluster due to distinct toolsets, operational practices, and technical differences, despite potential shared suppliers or information sharing with Mustang Panda.
* **Naming Origin:** Named after the string `[Bb]ectrl` found in its tooling, inspiring a wordplay between "beekeeper" and the Asian honey bee species, *Apis Cerana*.
* **Known Aliases/Associations:** Previously linked by others to Mustang Panda. Uses custom components such as TONEINS, TONESHELL, and PUBLOAD.
## Activity Summary
* **Historical Activity:** Active since at least the beginning of 2022.
* **Recent Campaigns:** Observed targeting governmental institutions in Thailand starting in 2023, involving revamped tool components and novel exfiltration techniques.
* **Overall Objective:** Relentless pursuit and massive exfiltration of data from compromised networks. The actors continuously update their backdoors for evasion and diversify methods for data extraction.
## Tactics, Techniques & Procedures
The group displays creativity and adaptability, leveraging legitimate cloud services for C2 and staging.
- **Initial Access/Execution:** Abuses service providers (Pastebin, Dropbox, OneDrive, GitHub) to execute commands.
- **Defense Evasion:** Revamped tool components for evasion; uses legitimate library names to blend in (Masquerading: Match Legitimate Name or Location - T1036.005).
- **Persistence/Backdoors:** Deploying custom backdoors utilizing cloud services. The OneDrive backdoor configuration files are encrypted (Deobfuscate/Decode Files or Information - T1140).
- **C2/Reverse Shell:** Devises a novel technique leveraging **GitHub's pull request and issue comment features** to create a stealthy reverse shell.
- C2 protocols use HTTP/S (Application Layer Protocol: Web Protocols - T1071.001).
- OneDrive backdoor communication is encrypted using AES-128 CBC, with keys/IVs encrypted via RSA (Encrypted Channel: Symmetric Cryptography - T1573.001, Encrypted Channel: Asymmetric Cryptography - T1573.002).
- Custom XOR-based encoding used by the YK0130 reverse shell (Data Encoding: Non-Standard Encoding - T1132.002).
- Implements an internal reverse proxy in one YK0130 variant (Proxy: Internal Proxy - T1090.001).
- Abuses OneDrive and Dropbox as C&C servers (Web Service: Bidirectional Communication - T1102.002).
- **Collection & Staging:**
- Deploys single-use harvesting components when collecting entire file trees.
- Uses a tool called **WavyExfiller** which compresses collected data using WinRAR (Archive Collected Data: Archive via Utility - T1560.001).
- Collects data from local drives (C:) and network shared drives (Data from Local System - T1005, Data from Network Shared Drive - T1039).
- Stages collected data in a special folder before upload (Data Staged: Local Data Staging - T1074.001).
- **Exfiltration:** Exfiltrates data via cloud services (Exfiltration Over Web Service: Exfiltration to Cloud Storage - T1567.002).
- **Infrastructure Usage:** Turns compromised machines into update servers.
## Targeting
* **Sectors:** Governmental institutions.
* **Geography:** Primarily Asian countries, including Thailand, Myanmar, the Philippines, Japan, and Taiwan.
* **Victims:** Governmental entities in target nations.
## Tools & Infrastructure
* **Malware Families/Tools:** Bespoke stagers (TONESHELL), TONEINS, PUBLOAD, YK0130 reverse shell, WavyExfiller (uses WinRAR).
* **Infrastructure:** Heavily abuses legitimate cloud/file-sharing services for C2, backdoors, and exfiltration:
* Pastebin
* Dropbox (used as C2/Exfil targets)
* OneDrive (used as C2/Exfil targets, employs AES/RSA encryption)
* GitHub (used for reverse shells via pull requests/issue comments)
## Implications
CeranaKeeper represents a sophisticated, highly adaptive China-aligned threat group focused relentlessly on data theft from sensitive government networks across Asia. Their creativity in abusing legitimate cloud services (especially GitHub for C2) makes detection difficult, requiring security teams to monitor legitimate service usage for anomalous activity indicative of compromise.
## Mitigations
- **Monitor Cloud Service Abuse:** Implement strict monitoring and anomaly detection for unusual activity involving GitHub (comment/PR creation/reading), OneDrive, and Dropbox that deviates from normal employee behavior, especially related to command staging or data uploads.
- **Zero Trust on Application Layer:** Enhance scrutiny of HTTP/S traffic, even to legitimate cloud services, looking for custom encoding or encryption patterns indicative of C2.
- **File System Monitoring:** Monitor for the deployment of single-use harvesting tools (like WavyExfiler) and unusual compression activities (WinRAR use).
- **Library Integrity Checks:** Implement measures to detect dynamic library side-loading, as this technique is reportedly used by the group.