Man
Professional
- Messages
- 3,038
- Reaction score
- 561
- Points
- 113
The group is quickly adapting its methods to circumvent any digital protection.
CeranaKeeper, a new hacker group linked to China and aimed at stealing data in Southeast Asia, has been discovered by researchers from ESET. The first activity of the group was noticed back in 2023, its victims were government agencies in Thailand. CeranaKeeper's activities have also been seen in other countries in the region, including Myanmar, the Philippines, Japan, and Taiwan.
The group uses a variety of methods and tools to collect data, including the abuse of legitimate cloud storage and file-sharing services such as Dropbox and OneDrive. According to ESET security researcher Romain Dumont, this group is constantly updating its toolkit to bypass security systems and collect data at scale.
CeranaKeeper attacks use backdoors and exfiltration tools to quickly access various systems and collect large amounts of information. According to experts, the group's aggressive approach is manifested in its ability to quickly spread through infected systems and quickly adapt its methods.
While the initial ways in which CeranaKeeper infiltrated the systems remains unknown, the attackers use the access they have already gained to infiltrate other machines on the local network. Some of the infected computers turn into proxy servers or update servers for backdoors.
CeranaKeeper attacks use malware such as TONESHELL, TONEINS, and PUBLOAD, which are also associated with the Mustang Panda hacking group. In addition, CeranaKeeper applies a number of new tools for data collection:
ESET also notes that the CeranaKeeper group is able to quickly rewrite and adapt its tools to bypass security systems. The main goal of cybercriminals is to develop unique malware for the large-scale collection of confidential information.
According to ESET's analytics, while CeranaKeeper and Mustang Panda may operate independently of each other, they likely have some level of information sharing or rely on common third-party resources, which is common among cyber groups linked to China.
Source
CeranaKeeper, a new hacker group linked to China and aimed at stealing data in Southeast Asia, has been discovered by researchers from ESET. The first activity of the group was noticed back in 2023, its victims were government agencies in Thailand. CeranaKeeper's activities have also been seen in other countries in the region, including Myanmar, the Philippines, Japan, and Taiwan.
The group uses a variety of methods and tools to collect data, including the abuse of legitimate cloud storage and file-sharing services such as Dropbox and OneDrive. According to ESET security researcher Romain Dumont, this group is constantly updating its toolkit to bypass security systems and collect data at scale.
CeranaKeeper attacks use backdoors and exfiltration tools to quickly access various systems and collect large amounts of information. According to experts, the group's aggressive approach is manifested in its ability to quickly spread through infected systems and quickly adapt its methods.
While the initial ways in which CeranaKeeper infiltrated the systems remains unknown, the attackers use the access they have already gained to infiltrate other machines on the local network. Some of the infected computers turn into proxy servers or update servers for backdoors.
CeranaKeeper attacks use malware such as TONESHELL, TONEINS, and PUBLOAD, which are also associated with the Mustang Panda hacking group. In addition, CeranaKeeper applies a number of new tools for data collection:
- WavyExfiller: A Python tool for uploading data, including connected devices such as USB and hard drives, with exfiltration via Dropbox and PixelDrain.
- DropboxFlop: A python script that is a modification of the DropFlop backshell that uses Dropbox as a command-and-control server.
- OneDoor: A C++ backdoor that uses Microsoft OneDrive APIs to execute commands and exfiltrate files.
- BingoShell: A Python backdoor that uses the power of a private repository on GitHub to create a hidden backshell.
ESET also notes that the CeranaKeeper group is able to quickly rewrite and adapt its tools to bypass security systems. The main goal of cybercriminals is to develop unique malware for the large-scale collection of confidential information.
According to ESET's analytics, while CeranaKeeper and Mustang Panda may operate independently of each other, they likely have some level of information sharing or rely on common third-party resources, which is common among cyber groups linked to China.
Source
