Cybersecurity firm Sygnia detailed a highly persistent and stealthy cyber espionage operation by a China-nexus threat actor, tracked as "Weaver Ant," targeting a major telecommunications provider in Asia.
The group employed a combination of web shells and tunneling methods to facilitate long-term persistence within the network. They deployed an encrypted China Chopper web shell, a tool traditionally used by Chinese threat actors. The web shell allowed Weaver Ant to execute commands, manage files, and exfiltrate data remotely.
Further analysis revealed that Weaver Ant had deployed a variant of the China Chopper web shell on an internal server that had been compromised for several years. The version employed by Weaver Ant supported AES encryption for payloads, allowing the threat actor to bypass automated detection systems such as Web Application Firewalls (WAF).
In addition to the encrypted China Chopper shell, Sygnia discovered a second, custom web shell called "INMemory." This web shell was able to execute malicious modules entirely in memory, avoiding detection by traditional signature-based defenses.
The INMemory web shell utilized a hardcoded GZipped Base64 string, which it decoded into a Portable Executable (PE) named ‘eval.dll,’ executing it entirely in memory.
To maintain control over the compromised systems, Weaver Ant deployed a recursive HTTP tunnel tool, which served as a secondary web shell, forwarding requests to other internal servers and enabling tunneling access to internal resources. This recursive tunneling allowed the attackers to operate from within the victim's network without alerting traditional defenses.
The attackers also employed PowerShell-based tools, including ‘Invoke-SMBClient,’ to conduct reconnaissance and facilitate movement across the network. By leveraging NTLM hashes instead of clear-text passwords, Weaver Ant was able to authenticate and escalate privileges without triggering suspicion.
In addition to tunneling, the attackers focused on extracting valuable information from configuration files stored on web servers. These files, such as ‘web.config’ and ‘applicationHost.config,’ often contained sensitive credentials that could help the attackers move laterally within the network.
To avoid detection, the attackers manipulated critical security mechanisms, such as Event Tracing for Windows (ETW) and the Antimalware Scan Interface (AMSI).
By patching event tracing processes and tampering with logs such as Sysmon, Weaver Ant was able to tamper with critical event logs, making it difficult for defenders to detect their actions. The group also targeted AMSI protections by overwriting the ‘AmsiScanBuffer’ function in the ‘amsi.dll’ module. This modification rendered the victim’s security tools, including endpoint detection and response (EDR) systems, ineffective, allowing malicious PowerShell commands to run without interference.
