Researchers from Sygnia have responded to a stealthy and persistent China-linked threat actor targeting a major telecommunications company in Asia. The Sygnia data highlights Weaver Ant, a China-based group infiltrating the telecom provider using web shells and tunneling to maintain access and conduct cyber espionage. The investigation revealed that a variant of the China Chopper web shell had compromised an internal server for several years. The remediation of the initial threat actor inadvertently disrupted the operations of a second China-linked group, also tracked by Sygnia as Weaver Ant.
“Based on our analysis, we assess that the group behind this intrusion—tracked by Sygnia as Weaver Ant—aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information,” Sygnia researchers wrote in a Monday blog post. “This incident highlights the importance of establishing resilient defense strategies to protect against sophisticated threats – particularly those posed by state-sponsored groups.”
They added that a holistic approach to mitigating these threats combines continuous monitoring with proactive response mechanisms – including periodic and systematic threat hunts – alongside stringent traffic controls and system hardening practices for both legacy and public-facing devices. “By embracing such an approach, organizations can enhance their ability to detect, deter, and counteract the persistent threat presented by state-sponsored groups.”
Weaver Ant is a threat actor exhibiting characteristics typical of a China-nexus targeted threat group. These characteristics are largely focused on specific industries and geographic locations that align with China’s cyber strategy; come with well-defined objectives guided their operations, and exhibits a wide reliance on China Chopper web shell variants. Weaver Ant carried out malicious activities primarily with the GMT +8 time zone, operating on regular working days while avoiding weekends and holidays.
Furthemore, Weaver Ant utilized a non-provisioned ORB network to proxy traffic and conceal their infrastructure. This network primarily consists of compromised Zyxel CPE routers (mostly with firmware version of VMG3625-T20A) operated by Southeast Asian telecommunication providers. By using the ORB network, the threat actor leveraged a compromised device from one telecom to pivot and target a device in another telecom.
Sygia noted that they also leveraged various techniques to load trojanized DLLs to infect systems, and employed a backdoor previously attributed to Chinese APT groups by Cybereason and TrendMicro.
Suspicious activity triggered multiple alerts during the final phase of a forensic investigation, multiple alerts were triggered by suspicious activities. Specifically, an account previously used by the threat actor was disabled as part of remediation efforts but was subsequently re-enabled by a service account. Notably, the activity originated from a server that had not been previously identified as compromised.
The discovery prompted a large-scale forensic investigation, including an extensive hunt for additional web shell variants. Utilizing YARA rules and other enrichment mechanisms, the team identified dozens of similar web shells. The investigation revealed an entire campaign that relies exclusively on web shells for persistent access, enabling remote code execution and lateral movement through an intricate tunneling process.
“The China Chopper web shell is a lightweight malicious tool that enables threat actors to gain remote access and control over compromised web servers,” Sygnia detailed. “Originally developed by Chinese threat actors, it offers functionalities such as file management, command execution, and data exfiltration. Its small size and stealthy nature make China Chopper ideal for maintaining persistent access, facilitating further exploitation, and evading detection by traditional security measures. Additionally, its versatility and ease of use have made it a popular choice for executing a wide range of malicious activities on targeted systems.”
Sygnia noted that the most common web shell utilized by this threat actor was a China Chopper web shell which supports AES encryption of the payload. “Despite its simplicity and straightforward functionality, this web shell is highly effective at bypassing automated payload detection mechanisms at the Web Application Firewall (WAF) level.
Deployed primarily on externally facing servers, the encrypted China Chopper web shell was implemented in various programming languages, including ASPX and PHP. The compromised servers served as entry points, enabling the threat actor to infiltrate the victim’s network and establish persistent access.
The forensic investigation faced challenges due to two features of the encrypted web shell. First, the threat actor employed keyword-based evasion by using common terms like ‘password’ and ‘key’ as parameter names, which many web application firewalls (WAFs) mask in logs, obscuring the actual payload content. Second, payload truncation occurred because the transmitted payload exceeded the character limit of the WAF, resulting in incomplete logged data and complicating the forensic analysis.
During the web shell investigation, it was discovered that Weaver Ant was still active within the compromised network. To avoid alerting the threat actor, stealth monitoring was implemented using port mirroring techniques rather than deploying tools directly on compromised machines. This approach automated the decryption of tunneled web shell traffic, allowing for better visibility and the identification of numerous payloads across multiple servers.
Additionally, the threat actor utilized minimalist web shells, like modified versions of China Chopper, primarily as conduits for executing more complex payloads, including a notable recursive HTTP tunnel tool.
Web shell tunneling is a technique that uses multiple web shells as proxy servers to redirect HTTP traffic for lateral movement and command and control within a compromised network. This method allows threat actors like Weaver Ant to operate on internal servers not directly connected to the internet by utilizing publicly accessible servers as gateways.
The primary advantage is that it enables lateral movement without deploying additional tools, as communication occurs over HTTP/S traffic, making it appear legitimate. Successful implementation requires generating HTTP/S traffic from compromised hosts, allowing web shells to redirect command traffic to different locations.
Weaver Ant demonstrated exceptional persistence, maintaining activity within the compromised network for over four years, despite multiple eradication attempts. Throughout this period, Weaver Ant adapted their TTPs to the evolving network environment, employing innovative methods to regain access and sustain their foothold.
“The modus operandi of Chinese-nexus intrusion sets typically involves the sharing of tools, infrastructure, and occasionally manpower—such as through shared contractors,” the post identified. “This collaborative approach complicates Sygnia’s efforts to attribute attacks to any previously identified group. Additionally, the high visibility within the network hinders Sygnia from confidently ruling out the possibility of a ‘false-flag’ operation orchestrated by a different APT group.”
After mapping and investigating Weaver Ant web shells, a coordinated effort was made to eradicate them from compromised hosts. Enhanced monitoring was implemented, assuming Weaver Ant’s persistence and espionage focus. This assumption was crucial for countering the threat. Monitoring successfully detected their attempts to regain network access. Sygnia continues to track their activities and will publish a blog post detailing their updated methods and tools, noting their continued preference for web shells.
The Sygnia data comes at a time when industrial cybersecurity firm Dragos released this month a case study on how the Littleton Electric Light and Water Departments (LELWD) detected and responded to a sophisticated cyber adversary during the VOLTZITE cyberattack. The study details LELWD’s real-world response, addressing operational technology security challenges faced by small utilities, including visibility gaps and IT-OT security risks. The case also highlights the concerning fact that Chinese Volt Typhoon hackers remained undetected for over 300 days, underscoring risks to critical infrastructure networks.
To bolster cybersecurity measures, the Sygnia post said that it is crucial to minimize privileges by restricting web-service accounts to only the essential permissions required for their operation. Controlling management traffic is equally important, which can be achieved by employing ACLs and firewall rules to limit the flow of management traffic between web servers and internal systems, with particular attention to SMB and HTTP/S protocols.
Additionally, it added that enforcing credential hygiene is another vital step, which involves implementing solutions like LAPS, gMSA, or a PIM to ensure regular rotation of credentials. Enhancing detection capabilities is essential, and deploying EDR/XDR solutions can help monitor memory for any malicious activity, including obfuscated in-memory web shells. It also suggests strengthening web security by fine-tuning WAF and logging systems is necessary to detect obfuscated code signatures and behavioral patterns associated with threats like China Chopper and INMemory web shells.
