The group constantly updates its backdoors to avoid detection and diversifies methods to facilitate mass data exfiltration. It also leverages legitimate cloud and file sharing services, such as Dropbox, GitHub, and OneDrive, to implement custom backdoors
Researchers of ESET, a global European leader in the cybersecurity market, have uncovered several targeted campaigns against government institutions in Thailand that, starting in 2023, were able to exfiltrate massive amounts of data. The campaigns leveraged legitimate file sharing services such as Dropbox, PixelDrain, GitHub, and OneDrive. Based on their findings, ESET researchers decided to trace this cluster of activity as the work of a specific threat actor, which ESET named CeranaKeeper. The numerous occurrences of the string "bectrl" in the code of the group's tools inspired the name: a play on words between the term "beekeeper" and the bee species Apis Cerana, or Asian honey bee. ESET presented its findings on CeranaKeeper and the compromise in Thailand at the Virus Bulletin 2024 conference.
CeranaKeeper, responsible for attacks on the Thai government, appears particularly aggressive, with a multitude of rapidly and continuously evolving tools and techniques used. Operators write and rewrite their toolset as needed, reacting quickly to avoid detection. The goal of this group is to collect as many files as possible and to this end it develops specific components. CeranaKeeper uses cloud and file-sharing services for exfiltration, likely counting on the fact that traffic to these popular services appears mostly legitimate and harder to block when identified.
CeranaKeeper has been active since at least early 2022, and primarily targets government entities in Asia, such as Thailand, Myanmar, the Philippines, Japan and Taiwan.
The attacks in Thailand leveraged revised versions of components previously attributed by other researchers to the China-aligned APT group, MustangPanda, and then a new toolset capable of hijacking service providers such as Pastebin, Dropbox, OneDrive, and GitHub to execute commands on compromised computers and exfiltrate sensitive documents. However, analysis of tactics, techniques, procedures, code and infrastructure discrepancies led ESET to deem it necessary to consider CeranaKeeper and MustangPanda as two separate entities. Both China-aligned groups could share information and a subset of tools for a common interest or through a third party.
"Despite some similarities in their activities, such as common goals and similar archive formats, ESET observed organizational and technical differences between the two groups, for example in toolsets, infrastructure, procedures and campaigns. We also noticed differences in the way the two groups carry out similar tasks," explains Romain Dumont, ESET researcher who discovered CeranaKeeper.
CeranaKeeper likely uses a publicly documented toolset called “bespoke stagers” (or TONESHELL), which makes extensive use of a side-loading technique and uses a specific sequence of commands to exfiltrate files from a compromised network. In the activities carried out, CeranaKeeper uses components known to be exclusive to the group and for their exclusive use. Additionally, the group left some metadata in their code that provided ESET with additional information about the development process, further solidifying the attribution to CeranaKeeper.
After gaining privileged access, the attackers installed the TONESHELL backdoor, deployed a credential dump tool, and used a legitimate Avast driver and custom application to disable security products on the machine. From the compromised server, they used a remote administration console to deploy and run their backdoor on other computers on the network. The group deployed a new BAT script across the network, extending its reach to other computers by leveraging the domain controller to gain Admin privileges.
In the attack against the Thai government, attackers identified and selected compromised computers of interest to deploy previously undocumented custom tools that were used not only to facilitate the exfiltration of documents to public storage services, but also as alternative backdoors. One particularly noteworthy technique used by the group leverages GitHub's pull request and issue comment functions to create a hidden reverse shell, leveraging GitHub, a popular online platform for sharing and collaborating on code, as a Command & Control (C&C) server.
For a more detailed analysis and technical breakdown of CeranaKeeper tools, see the latest ESET Research white paper “CeranaKeeper: A relentless, shape-shifting group targeting Thailand” on WeLiveSecurity.com. Follow ESET Research on Twitter (now known as X) For the latest news from ESET Research.
