China-Linked Weaver Ant Hackers Exposed After Four-Year Telco Infiltration
A devastating cyber attack has been uncovered by cybersecurity experts at Sygnia, revealing that a China-nexus hacking group, known as Weaver Ant, had infiltrated the network of an Asian telecommunications service provider over a period of four years. The malicious actors managed to evade detection and remain undetected for an extended period, highlighting the sophistication and stealthiness of this cyber threat.
The investigation was sparked by an account previously used by another threat actor that was disabled as part of remediation efforts but was subsequently re-enabled by a service account. This activity originated from a server that had not been previously identified as compromised, leading Sygnia researchers to attribute the threat actor to China.
A Complex Web of Tactics and Techniques
Further investigation revealed that Weaver Ant had deployed a variant of the China Chopper web shell on an internal server, which had been compromised for several years. This web shell allowed the group to maintain persistence and enable lateral movement throughout their operations.
"Weaver Ant maintained activity within the compromised network for over four years despite repeated attempts to eliminate them from compromised systems," said Oren Biderman, Incident Response and Digital Forensic Team Leader at Sygnia. "The threat actor adapted their techniques, tactics and procedures (TTPs) to the evolving network environment, enabling continuous access to compromised systems and the collection of sensitive information."
The Weaver Ant Methodology
To infiltrate the Asia-based telecom company and gain access to sensitive data, Weaver Ant compromised Zyxel Customer Premises Equipment (CPE) home routers. These routers were used as an entry point into the victim’s network.
Web shells and web shell tunneling are primary tools for maintaining persistence and enabling lateral movement throughout their operations," said Biderman. "The first web shell, an encrypted China Chopper, allowed the group to gain remote access and control of web servers. Notably, variants of the China Chopper web shell support AES encryption of a payload, making it highly effective at evading detection at the Web Application Firewall level."
The second web shell used by Weaver Ant had no publicly available references to any known web shells. Sygnia researchers named it the ‘INMemory’ web shell. INMemory leverages just-in-time (JIT) compilation and execution of code at runtime to dynamically execute malicious payloads without having to write them onto the disk."
Evading Detection
Weaver Ant utilized web shell tunneling by leveraging multiple web shells as "proxy servers" to redirect inbound HTTP traffic to another web shell on a different host for payload execution. This method has been observed before, having been employed by various threat actors.
"Instead of deploying a monitoring tool on the compromised machines themselves, which would have alerted the threat actor," explained Sygnia researchers, "we established a combination of port mirroring techniques and designed an architecture to automate the decryption and de-encapsulation of the tunneled web shell traffic."
The Future of Cyber Threat Detection
Since the end of its investigation, Sygnia has already detected Weaver Ant attempting to regain access to the telecom company’s network. This highlights the ongoing threat landscape and the need for continuous monitoring and detection.
"The ability of Weaver Ant to leverage never-seen-before web shells to evade detection speaks to [the group’s] sophistication and stealthiness," said Biderman. "This serves as a reminder that cybersecurity is an ongoing battle, and it requires constant vigilance and innovation to stay ahead of the threat actors."
Conclusion
The discovery of Weaver Ant highlights the complex web of tactics and techniques used by cyber threat actors. Its sophistication and stealthiness demonstrate the need for continuous monitoring and detection to stay ahead of these malicious actors.