Thailand, Myanmar, Taiwan, and other countries across Southeast Asia have been targeted with a data theft campaign by novel threat operation CeranaKeeper, which has been leveraging tools linked to the Chinese advanced persistent threat group Mustang Panda, reports The Hacker News.
Attacks by CeranaKeeper involved the deployment of the Mustang Panda-linked TONESHELL backdoor, a credential dumping tool, and a legitimate Avast driver before proceeding with the delivery of the WavyExfiller Python uploader for data gathering, the DropboxFlop payload, the Microsoft OneDrive REST API-exploiting OneDoor backdoor, and the BingoShell Python backdoor, according to an ESET report. "Mustang Panda and CeranaKeeper seem to operate independently of each other, and each has its own toolset. Both threat actors may rely on the same third party, such as a digital quartermaster, which is not uncommon among China-aligned groups, or have some level of information sharing, which would explain the links that have been observed," said the report.
