U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Chinese APT Weaver Ant infiltrated a telco in Asia for over four years

China-linked APT Weaver Ant infiltrated the network of a telecommunications services provider for over four years.  The China-linked threat actor Weaver Ant infiltrated the network of a telecom provider in Asia for over four years. During a forensic investigation, Sygnia researchers observed multiple alerts that revealed a re-enabled threat actor account by a service account […]

Weaver Ant

China-linked APT Weaver Ant infiltrated the network of a telecommunications services provider for over four years. 

The China-linked threat actor Weaver Ant infiltrated the network of a telecom provider in Asia for over four years.

During a forensic investigation, Sygnia researchers observed multiple alerts that revealed a re-enabled threat actor account by a service account from an unidentified server. Further analysis uncovered a China Chopper web shell on an internal server, compromised for years. This led to the discovery of Weaver Ant’s activity, a China-linked group using web shells for persistence, remote code execution, and lateral movement through tunneling.

The experts detected multiple web shells, including a previously unknown one dubbed “INMemory”. The China Chopper web shell, originally developed by Chinese threat actors, enables remote access and control over compromised web servers, facilitating persistent access, command execution, and data exfiltration.

The encrypted China Chopper variant, frequently used by the attackers, employed AES encryption to evade detection by Web Application Firewalls (WAFs). It was deployed on externally facing servers using ASPX and PHP, serving as an entry point for network infiltration. This encryption allowed the attackers to bypass automated detection mechanisms, making forensic analysis challenging.

Two key evasion techniques hindered the investigation. First, attackers used specific keywords, such as “password” and “key,” in the payload, which WAFs typically redact in logs, obscuring the malicious content. Second, the transmitted payload often exceeded the character limits of logging mechanisms, resulting in truncated data that made full forensic reconstruction difficult. These strategies ensured stealthy, persistent access to compromised systems.

The INMemory web shell allows attackers to execute malicious modules in memory, avoiding disk-based detection. It decodes a hardcoded GZipped Base64 string into a PE file, ‘eval.dll,’ and executes it dynamically. The web shell obfuscates code using Base64-encoded strings and validates HTTP request headers via SHA256 hash comparison. If a match is found, it encodes the payload in Base64 and UTF-8 before executing it using ‘JScriptEvaluate,’ leveraging the JScript library for dynamic execution. This technique enhances stealth by preventing forensic analysis and signature-based detection, allowing attackers to persist undetected in compromised environments.

One notable tool was a recursive HTTP tunnel, enabling web shell tunneling for lateral movement. This method leveraged compromised web servers as proxies to relay HTTP/S traffic, accessing internal resources without deploying additional tools. By dynamically constructing and executing cURL commands, the tunneling mechanism allowed the attacker to navigate segmented networks stealthily. Since communication occurred over expected web traffic, it blended in with legitimate activity, making detection difficult while facilitating command and control across compromised environments.

Weaver Ant deployed multiple payloads to evade detection, maintain persistence, and expand access within compromised networks. They patched the Event Tracing for Windows (ETW) to suppress event logs and bypassed the Antimalware Scan Interface (AMSI) by modifying ‘amsi.dll’, allowing malicious PowerShell execution. They also ran PowerShell commands via ‘System.Management.Automation.dll’ without using PowerShell.exe, avoiding detection. For lateral movement, they leveraged SMB with NTLM hashes, deploying additional web shells and extracting credentials from IIS configuration files.

Weaver Ant

“As part of its reconnaissance efforts, Weaver Ant executed various ‘Invoke-SharpView’ commands against multiple Domain Controllers within the same Active Directory (AD) Forest. These commands included: ‘Get-DomainUserEvent’, ‘Get-DomainSubnet’, ‘Get-DomainUser’, ‘Get-NetSession’ etc.” reads the report published by Sygnia. “The primary objective was to enumerate the compromised Active Directory environment to identify high-privilege accounts and critical servers and add them to their target bank. “

The researchers believe Weaver Ant is a nation-state actor specializing in long-term network access for cyber espionage. The group focuses on network intelligence, credential harvesting, and persistent access to telecom infrastructure, its operations align with state-sponsored espionage objectives.

Sygnia attributes its activities to China based on the use of Zyxel routers operated by Southeast Asian telecommunication providers, backdoors linked to Chinese groups, and operations during GMT +8 business hours.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)