Chinese APT Weaver Ant Infiltrated a Telco in Asia for Over Four Years

A sophisticated Chinese threat actor group known as Weaver Ant has successfully infiltrated the network of a telecommunications services provider in Asia for an astonishing four years. The China-linked Advanced Persistent Threat (APT) group was discovered by Sygnia researchers, who conducted a comprehensive forensic investigation into the breach.

The incident began when multiple alerts were triggered on the telco's internal servers, revealing that a re-enabled threat actor account had been restored using a service account from an unidentified server. Further analysis revealed a China Chopper web shell on an internal server, which had been compromised for years. This led to the discovery of Weaver Ant's activity, a group known for using web shells for persistence, remote code execution, and lateral movement through tunneling.

During their investigation, Sygnia researchers detected multiple web shells, including one previously unknown variant dubbed "INMemory". The China Chopper web shell, originally developed by Chinese threat actors, enables remote access and control over compromised web servers, facilitating persistent access, command execution, and data exfiltration. However, the attackers employed advanced encryption techniques to evade detection by Web Application Firewalls (WAFs), using AES encryption to conceal their malicious activities.

The encrypted variant of China Chopper was deployed on externally facing servers using ASPX and PHP, serving as an entry point for network infiltration. This allowed the attackers to bypass automated detection mechanisms, making forensic analysis challenging. The researchers noted that two key evasion techniques hindered the investigation: the use of specific keywords like "password" and "key" in the payload, which WAFs typically redact in logs, obscuring the malicious content, and the transmission of payload data that exceeded character limits of logging mechanisms, resulting in truncated data.

The INMemory web shell allows attackers to execute malicious modules in memory, avoiding disk-based detection. It decodes a hardcoded GZipped Base64 string into a PE file, 'eval.dll,' and executes it dynamically. The web shell obfuscates code using Base64-encoded strings and validates HTTP request headers via SHA256 hash comparison.

One notable tool used by Weaver Ant was a recursive HTTP tunnel, enabling web shell tunneling for lateral movement. This method leveraged compromised web servers as proxies to relay HTTP/S traffic, accessing internal resources without deploying additional tools. By dynamically constructing and executing cURL commands, the tunneling mechanism allowed the attacker to navigate segmented networks stealthily.

Weaver Ant deployed multiple payloads to evade detection, maintain persistence, and expand access within compromised networks. They patched the Event Tracing for Windows (ETW) to suppress event logs and bypassed the Antimalware Scan Interface (AMSI) by modifying 'amsi.dll', allowing malicious PowerShell execution. They also ran PowerShell commands via 'System.Management.Automation.dll' without using PowerShell.exe, avoiding detection.

For lateral movement, Weaver Ant leveraged SMB with NTLM hashes, deploying additional web shells and extracting credentials from IIS configuration files. "As part of its reconnaissance efforts, Weaver Ant executed various ‘Invoke-SharpView’ commands against multiple Domain Controllers within the same Active Directory (AD) Forest," reads the report published by Sygnia. “The primary objective was to enumerate the compromised Active Directory environment to identify high-privilege accounts and critical servers and add them to their target bank."

According to Sygnia, Weaver Ant is a nation-state actor specializing in long-term network access for cyber espionage. The group focuses on network intelligence, credential harvesting, and persistent access to telecom infrastructure, its operations aligning with state-sponsored espionage objectives.

The researchers attribute the activities of Weaver Ant to China based on the use of Zyxel routers operated by Southeast Asian telecommunication providers, backdoors linked to Chinese groups, and operations during GMT +8 business hours. The incident highlights the sophistication and stealth of advanced threat actors and the need for robust security measures to prevent such breaches.

Stay informed about the latest cybersecurity threats and trends with me on Twitter: @securityaffairs and Facebook and Mastodon