“Bee vs. Panda: CeranaKeeper’s Strategic Move into Thailand”

ESET researchers uncovered CeranaKeeper, a China-aligned threat actor that targets governmental institutions in Thailand and uses revamped Mustang Panda components alongside new custom tools to harvest sensitive data. The group implements multiple cloud-based backdoors and exfiltration channels—notably abusing Pastebin, Dropbox, OneDrive, PixelDrain and GitHub—to receive commands and upload stolen documents. #CeranaKeeper #OneDrive

Keypoints

  • New China-aligned actor “CeranaKeeper” targets governmental institutions in Thailand and other Asian countries.
  • The group deploys custom backdoors and harvesting tools (e.g., TONESHELL/TONESHELL loaders, WavyExfiller, DropboxFlop, OneDoor, BingoShell) to extract data.
  • CeranaKeeper abuses legitimate cloud/file-sharing services (Pastebin, Dropbox, OneDrive, PixelDrain) and GitHub pull requests/comments for C2 and exfiltration.
  • Initial foothold led to brute-force/domaining attacks, credential dumping, security-driver misuse, and use of remote administration consoles for lateral movement and update distribution.
  • Persistence and evasion techniques include registry Run keys, DLL side‑loading, encrypted configuration files, and masquerading as legitimate libraries/executables.
  • Data collection and staging: files from C: and mapped/network drives are compressed (WinRAR) into staged archives before upload; network comms use HTTP/S with custom encoding and AES/RSA protections in some components.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – CeranaKeeper registered domains for C2 servers. (‘CeranaKeeper acquired domains for some of its C&C servers.’)
  • [T1583.003] Acquire Infrastructure: Virtual Private Server – The actor used VPS hosting to operate C2. (‘CeranaKeeper acquired access to a VPS to serve as a C&C server.’)
  • [T1587.001] Develop Capabilities: Malware – The group creates and updates bespoke malware components. (‘CeranaKeeper develops its own components.’)
  • [T1585.003] Establish Accounts: Cloud Accounts – Cloud accounts are provisioned for storing/exfiltrating data. (‘CeranaKeeper acquired cloud accounts for exfiltration purposes.’)
  • [T1072] Software Deployment Tools – Remote administration consoles were abused to spread backdoors internally. (‘CeranaKeeper abuses the ESET Remote Administration console to perform lateral movement.’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Reverse shells establish persistence via Run keys. (‘The YK0130 reverse shell establishes persistence via the registry Run key.’)
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Many components are delivered as side-loaded DLLs alongside legitimate programs. (‘Most components come as side-loaded libraries along with the legitimate program.’)
  • [T1140] Deobfuscate/Decode Files or Information – Configuration blobs are encrypted and decrypted by backdoors. (‘Configuration files used by the OneDrive backdoor are encrypted.’)
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Malware mimics legitimate filenames and library names to blend in. (‘CeranaKeeper uses legitimate library names to blend in.’)
  • [T1560.001] Archive Collected Data: Archive via Utility – Collected files are compressed with utilities (e.g., WinRAR) before exfiltration. (‘WavyExfiller uses WinRAR to compress collected data.’)
  • [T1005] Data from Local System – Harvesting includes files from the local C: drive. (‘WavyExfiller collects data from the local drive (C:).’)
  • [T1039] Data from Network Shared Drive – Network shares are crawled for additional documents. (‘WavyExfiller collects data from network shares.’)
  • [T1074.001] Data Staged: Local Data Staging – Data are aggregated into a staging folder prior to upload. (‘Collected data is archived in a special folder before being uploaded.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Backdoors communicate over HTTP/S with cloud APIs. (‘The different backdoors communicate using HTTP/S.’)
  • [T1132.002] Data Encoding: Non-Standard Encoding – YK0130 uses custom XOR-based encoding for network traffic. (‘The network protocol used by the YK0130 reverse shell employs custom, XOR-based encoding.’)
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – OneDrive backdoor uses AES-128-CBC for encrypting traffic and payloads. (‘AES-128 mode CBC is used by the OneDrive backdoor to encrypt network communication.’)
  • [T1573.002] Encrypted Channel: Asymmetric Cryptography – Key-IV pairs are encrypted with RSA before upload. (‘The generated key and IV for the OneDrive backdoor are encrypted via RSA.’)
  • [T1090.001] Proxy: Internal Proxy – A YK0130 variant implements a reverse proxy for internal routing. (‘One of the variants of the YK0130 reverse shell implements a reverse proxy.’)
  • [T1102.002] Web Service: Bidirectional Communication – Public cloud services (OneDrive, Dropbox) are used as bidirectional C2 channels. (‘OneDrive and Dropbox are used as C&C servers.’)
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Staged archives are exfiltrated to cloud storage providers. (‘Collected data are exfiltrated via cloud services.’)

Indicators of Compromise

  • [File Hashes] Malware samples – E7B6164B6EC7B7552C93713403507B531F625A8C64D36B60D660D66E82646696, 3F81D1E70D9EE39C83B582AC3BCC1CDFE038F5DA31331CDBCD4FF1A2D15BB7C8, and 7 more hashes.
  • [Filenames] Observed malicious binaries – SearchApp.exe (WavyExfiller), OneDrive.exe (OneDoor), Update.exe (BingoShell), and other loader DLLs like TurboActivate.dll.
  • [Domains] C2 and infrastructure – www.toptipvideo[.]com, dljmp2p[.]com, and other malicious domains used for C&C.
  • [IP Addresses] C2 hosts – 104.21.81[.]233, 103.245.165[.]237, and 2 more IPs linked to hosting providers used by the actor.

CeranaKeeper’s intrusion chain typically begins with a foothold (initial vector not fully identified in the analyzed case) followed by local brute-force and credential-dumping activity to escalate privileges. After obtaining domain or administrative credentials, operators install TONESHELL backdoors and loaders via DLL side‑loading, use a legitimate Avast driver and custom utilities to disable endpoint protections, and leverage a remote administration console to push the same backdoor across the domain—turning compromised servers into update distribution points for their payloads.

Once they land on high-value hosts, the group deploys purpose-built exfiltration and secondary backdoor tools selectively. WavyExfiller (PyInstaller SearchApp.exe / oneDrive.exe variants) performs recursive collection of C: and mapped/mounted drives (letters D–N except L), compresses files (WinRAR) into password‑protected archives, and retrieves encrypted cloud tokens from Pastebin to upload to Dropbox or PixelDrain. DropboxFlop is a PyInstaller-based reverse shell that polls a remote Dropbox repo (heartbeat via a lasttime file) and executes JSON-formatted tasks (command execution or file upload), while OneDoor (statically linked C++ named OneDrive.exe) uses an encrypted config.bin / hardcoded buffers to obtain a OneDrive token, uses AES‑128‑CBC for data encryption, encrypts key/IV pairs with a 1024‑bit RSA public key, and maps OneDrive folders (E for commands, F for upload lists, D for results) to implement fetch/execute and exfiltrate workflows.

BingoShell implements a covert GitHub-based C2: it uses a hardcoded token to access a private repository, creates a branch and pull request per infected host, reads commands from PR comments, executes them locally, returns output to repository files, and cleans up by closing PRs and deleting comments. Across these tools the group employs HTTP/S for application-layer comms, custom XOR-based encoding in YK0130 variants, registry Run keys for persistence, and internal proxying in some reverse-shell variants—together enabling stealthy command-and-control and large-scale staged exfiltration to public cloud services.

Read more: https://www.welivesecurity.com/en/eset-research/separating-bee-panda-ceranakeeper-making-beeline-thailand/