Separating The Bee From The Panda: Ceranakeeper Making A Beeline For Thailand

ESET researchers observed respective campaigns targeting governmental institutions successful Thailand, starting successful 2023. These attacks leveraged revamped versions of components antecedently attributed by different researchers to nan China-aligned precocious persistent threat (APT) group Mustang Panda, and later, a caller group of devices that maltreatment work providers specified arsenic Pastebin, Dropbox, OneDrive, and GitHub to execute commands connected compromised computers and exfiltrate delicate documents.

Based connected our findings, we decided to way this activity cluster arsenic nan activity of a abstracted threat actor. The galore occurrences of nan drawstring [Bb]ectrl successful nan codification of nan group’s devices inspired america to sanction it CeranaKeeper; it is simply a wordplay betwixt nan words beekeeper and nan bee type Apis Cerana, aliases nan Asian chromatic bee.

Key points of this blogpost:

• ESET researchers discovered a caller China-aligned threat actor, CeranaKeeper, targeting governmental institutions successful Thailand. Some of its devices were antecedently attributed to Mustang Panda by different researchers.
• The group perpetually updates its backdoor to evade discovery and diversifies its methods to assistance monolithic information exfiltration.
• CeranaKeeper abuses popular, morganatic unreality and file-sharing services specified arsenic Dropbox and OneDrive to instrumentality civilization backdoors and extraction tools.
• The group uses GitHub’s propulsion petition and rumor remark features to create a stealthy reverse shell, leveraging GitHub, a celebrated online level for sharing and collaborating connected code, arsenic a C&C server.

CeranaKeeper has been progressive since astatine slightest nan opening of 2022, chiefly targeting governmental entities successful Asian countries specified arsenic Thailand, Myanmar, nan Philippines, Japan, and Taiwan; we judge it is aligned pinch China’s interests. The group’s relentless hunt for information is remarkable, pinch its attackers deploying a wide array of devices aimed astatine extracting arsenic overmuch accusation arsenic imaginable from compromised networks. In nan cognition we analyzed, nan group turned compromised machines into update servers, devised a caller method utilizing GitHub’s propulsion petition and rumor remark features to create a stealthy reverse shell, and deployed single-use harvesting components erstwhile collecting full record trees.

We concisely introduced CeranaKeeper successful nan ESET APT Activity Report Q4 2023–Q1 2024, which was released successful May 2024. In this blogpost, we picture these antecedently undocumented, civilization devices deployed by CeranaKeeper and stock much of our findings astir nan operations of this threat actor.

We presented immoderate of our findings astir CeranaKeeper and nan discuss successful Thailand astatine nan Virus Bulletin conference connected October 2nd, 2024, and successful our achromatic paper, which you tin publication successful afloat here. This month, Virus Bulletin will besides people our achromatic insubstantial astir this taxable on its website.

Attribution

While immoderate of CeranaKeeper’s activities had antecedently been attributed to Mustang Panda (aka Earth Preta aliases Stately Taurus) by Talos, Trend Micro, and Palo Alto Networks Unit 42, we person decided to way this activity cluster arsenic nan activity of CeranaKeeper. We judge CeranaKeeper uses nan publically documented toolset called bespoke stagers (or TONESHELL), heavy relies connected nan side-loading technique, and uses a circumstantial series of commands to exfiltrate files from a compromised network. Furthermore, we see nan usage of governmental lures and PlugX components to beryllium nan activity of MustangPanda. Despite immoderate similarities successful their activities (similar side-loading targets, archive format), we observed chopped organizational and method differences betwixt nan 2 groups, specified arsenic differences successful their toolsets, infrastructure, operational practices, and campaigns. We besides noted differences successful nan measurement nan 2 groups execute akin tasks.

In its operations, CeranaKeeper deploys components known arsenic TONEINS, TONESHELL, and PUBLOAD, which are unsocial to nan group. The group stands retired for its productivity and adaptability successful its attacks, specified arsenic utilizing revamped versions of nan aforementioned components and caller devices that maltreatment services specified arsenic Pastebin, Dropbox, OneDrive, and GitHub. We picture these devices successful nan Toolset aiding monolithic exfiltration section.

Furthermore, nan group near immoderate metadata successful its codification that provided america pinch insights into its improvement process, further solidifying our separation of nan 2 groups and our attribution to CeranaKeeper. Both threat actors whitethorn trust connected nan aforesaid 3rd party, specified arsenic a supplier of devices utilized successful nan deployment phase, which is not uncommon among China-aligned groups, aliases person immoderate level of accusation sharing, which would explicate nan links that we person observed. In our opinion, this is simply a much apt mentation than a azygous threat character maintaining 2 wholly abstracted sets of tools, infrastructure, operational practices, and campaigns.

Compromising machines successful nan aforesaid network

The discuss vectors that CeranaKeeper utilized successful nan lawsuit we analyzed person yet to beryllium found. When nan group obtained a foothold successful nan web of a Thai governmental institution, successful nan mediate of 2023, a compromised instrumentality conducted brute-force attacks against a domain controller server successful nan section area network.

After gaining privileged access, nan attackers installed nan TONESHELL backdoor, deployed a instrumentality to dump credentials, and utilized a morganatic Avast driver and a civilization exertion to disable information products connected nan machine. From this compromised server, they utilized a distant management console to deploy and execute their backdoor connected different computers successful nan network. Additionally, CeranaKeeper utilized nan compromised server to shop updates for TONESHELL, turning it into an update server.

The group deployed a caller BAT book crossed nan network, extending its scope to different machines successful nan aforesaid domain by exploiting nan domain controller to summation domain admin privileges. This enabled CeranaKeeper to move to nan adjacent shape of its cognition and execute nan last goal: monolithic information harvesting.

Toolset aiding monolithic exfiltration

After deploying their TONESHELL backdoor and performing a fewer lateral movements, it appears that nan attackers recovered and selected a fewer compromised computers of capable liking to deploy antecedently undocumented, civilization tools. These support devices were utilized not only to facilitate nan exfiltration of documents to nationalist retention services but besides to enactment arsenic replacement backdoors. The backdoors and exfiltration devices we picture were deployed to highly targeted machines only.

WavyExfiller: A Python uploader abusing Dropbox and PixelDrain

The first of a bid of chartless components we discovered successful June 2023 is WavyExfiller, a Python package bundled into an executable utilizing PyInstaller and a nonstop Python implementation of nan exfiltration method described by Unit 42. We named this constituent WavyExfiller owed to nan .wav hold of a section record that contains hunt masks for identifying and compressing documents fresh for export. The PyInstaller-bundled executable is named SearchApp.exe (SHA-256: E7B6164B6EC7B7552C93713403507B531F625A8C64D36B60D660D66E82646696).

The module has 3 main functions: to retrieve an encrypted Dropbox token from a Pastebin page (an online work for storing and sharing plain matter data), to create password-protected archives of documents recovered successful users’ directories, and to upload these archives to Dropbox.

In October 2023, we observed a version (SHA-256: 451EE465675E674CEBE3C42ED41356AE2C972703E1DC7800A187426A6B34EFDC) stored nether nan sanction oneDrive.exe. Despite its name, this type uses nan file-sharing work PixelDrain to exfiltrate nan archived files. Just for illustration SearchApp.exe mentioned above, this version checks nan C drive, which typically contains nan operating system, installed programs, and section users’ documents. Additionally, oneDrive.exe attempts to cod files from mapped drives, if any, ranging from missive D to N (except L) arsenic illustrated successful Figure 1, which whitethorn correspond connected outer retention devices for illustration USBs and difficult drives, networked drives successful an agency environment, aliases virtual drives created by circumstantial software. This shows that CeranaKeeper stepped up its level of greediness and tried reaching different imaginable aliases known sources of information. However, it’s unclear whether nan exfiltration cognition was successful, arsenic checking uploaded files connected PixelDrain is not imaginable via nan exposed API.

DropboxFlop: A Python backdoor abusing Dropbox

In October 2023, astir nan aforesaid clip that we recovered nan PixelDrain variant, we discovered a caller PyInstaller bundled executable pinch SHA-256 hash DAFAD19900FFF383C2790E017C958A1E92E84F7BB159A2A7136923B715A4C94F. It seems that CeranaKeeper created it based connected a publically disposable task called Dropflop, which is simply a reverse ammunition pinch upload and download capabilities. The compiled Python record is called dropboxflop.pyc. The backdoor retrieves an encrypted Dropbox token and depends connected files coming successful nan distant Dropbox repository to execute commands connected nan machine. It creates a unsocial files locally and generates a “heartbeat” by updating nan distant record called lasttime each 15 seconds. It besides checks for a record named tasks that, if found, is downloaded and parsed arsenic a JSON file. There are 2 types of tasks implemented: bid execution and record upload. Once completed, nan backdoor sends nan results by updating nan contented of nan record output.

OneDoor: A C++ backdoor abusing OneDrive

A fewer days aft deploying nan Python backdoor DropboxFlop, CeranaKeeper returned pinch a statically linked C/C++ backdoor abusing OneDrive that we person named OneDoor. The sample (SHA-256: 3F81D1E70D9EE39C83B582AC3BCC1CDFE038F5DA31331CDBCD4FF1A2D15BB7C8) is named OneDrive.exe. The record mimics nan morganatic executable from Microsoft, arsenic shown successful nan properties position successful Figure 2.

OneDoor behaves successful a akin manner to nan DropboxFlop backdoor, but uses nan OneDrive REST API of nan Microsoft Graph API to person commands and exfiltrate files.

OneDoor creates a log record and attempts to entree a record named config.ini. If it’s not present, OneDoor uses a hardcoded buffer. The record aliases buffer starts pinch a cardinal and an initialization vector, which are utilized to decrypt nan remainder of nan information utilizing AES-128 successful CBC mode. The plaintext contains a URL, which nan malware uses successful an HTTP GET request. The consequence contains a OneDrive token, which is utilized successful consequent requests to Microsoft OneDrive.

OneDoor besides retrieves nan ID of a files called approot, which is utilized to shop exertion data.

Similar to nan config.ini file, nan malware attempts to entree a record named errors.log. If nan record doesn’t exist, it uses a hardcoded buffer. The contented of nan record aliases buffer is decrypted; nan plaintext information contains a 1024-bit RSA nationalist key. A key-IV brace is generated, encrypted pinch RSA, and uploaded to nan distant approot folder. This brace is utilized for encrypting and decrypting data.

Finally, nan malware retrieves lists of files from 2 folders located connected OneDrive, E and F. A thread is started for each list, which downloads and decrypts nan files. The files stored nether nan E files incorporate commands to beryllium executed, while nan ones stored nether nan F files incorporate a database of files to beryllium uploaded. The results of these operations are encrypted and stored successful a 3rd OneDrive folder, D. The original files are past deleted from OneDrive.

BingoShell: A Python backdoor abusing GitHub

We observed nan latest specimen of nan group’s exfiltration toolset successful February 2024 and named it BingoShell because of nan drawstring bingo# utilized successful nan title of a GitHub pull request (PR) it creates. The analyzed sample (SHA-256: 24E12B8B1255DF4E6619ED1A6AE1C75B17341EEF7418450E661B74B144570017) is simply a record named Update.exe that uses a Microsoft Office logo arsenic its icon, arsenic observed successful Figure 3. According to its PE compilation timestamp, apparently it was built successful precocious January 2024.

BingoShell is simply a backdoor written successful Python that uses GitHub to power compromised machines. Once run, it uses a hardcoded token to entree a backstage GitHub repository. According to nan first perpetrate of nan main branch, nan repository was astir apt created connected January 24th, 2024. BingoShell creates a caller branch successful nan repository and a corresponding propulsion request. The backdoor sounds comments connected nan recently created PR to person commands to execute connected nan compromised machine, arsenic illustrated successful Figure 4. 

This demonstrates a caller covert method to leverage GitHub arsenic a bid and power (C&C) server, showing nan sophistication of nan attackers, who cleaned up aft themselves by closing propulsion requests and removing comments from nan repository.

Each caller branch created by BingoShell connected nan backstage GitHub repository should correspond an entree to a compromised machine. Because we discovered 25 closed propulsion requests (shown successful Figure 5), we could infer that CeranaKeeper had access, via BingoShell, to 25 compromised machines.

Conclusion

The threat character down nan attacks connected nan Thailand government, CeranaKeeper, seems peculiarly relentless, arsenic nan plethora of devices and techniques nan group uses keeps evolving astatine a accelerated rate. The operators constitute and rewrite their toolset arsenic needed by their operations and respond alternatively quickly to support avoiding detection. This group’s extremity is to harvest arsenic galore files arsenic imaginable and it develops circumstantial components to that end. CeranaKeeper uses unreality and file-sharing services for exfiltration and astir apt relies connected nan truth that postulation to these celebrated services would mostly look morganatic and beryllium harder to artifact erstwhile it is identified.

Throughout our research, we were capable to found beardown connections betwixt nan antecedently documented and caller toolsets and 1 communal threat actor. The reappraisal of nan tactics, techniques and procedures (TTPs), code, and infrastructure discrepancies leads america to judge that search CeranaKeeper and MustangPanda arsenic 2 abstracted entities is necessary. However, some China-aligned groups could beryllium sharing accusation and a subset of devices successful a communal liking aliases done nan aforesaid 3rd party.

The targeted run we investigated gave america insights into CeranaKeeper’s operations and early campaigns will apt uncover more, arsenic nan group’s quest for delicate information continues.

For a much elaborate study of nan devices deployed by CeranaKeeper, you tin entree nan afloat ESET Research achromatic insubstantial here.

For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com. 

ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.

IoCs

A broad database of indicators of discuss (IoCs) and samples tin beryllium recovered successful our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This array was built utilizing version 15 of nan MITRE ATT&CK framework.