The threat actor appears to be more focused on network intelligence, credential harvesting, and continuous access to telecom infrastructure rather than stealing user data or financial records, which is consistent with state-sponsored espionage goals. The threat actor established a foothold on the network by using an AES-encrypted variant of the China Chopper web shell, which allowed remote control of servers while bypassing firewall restrictions. “Web shell tunneling is a method that leverages multiple web shells as ‘proxy servers’ to redirect inbound HTTP traffic to another web shell on a different host for payload execution,” explains Sygnia in the technical report. The data exfiltration methods used in the attacks were also selected to raise as little alarm as possible, including passive network traffic capturing via port mirroring, Sygnia researchers say in a report today. To defend against this advanced threat, it is recommended to apply internal network traffic controls, enable full IIS and PowerShell logging, apply least privilege principles, and rotate user credentials frequently. Weaver Ant intrusions leveraged an operational relay box (ORB) network made primarily of Zyxel CPE routers to proxy traffic and conceal infrastructure. Weaver Ant proves to be a skilled state-sponsored actor capable to achieve long-term access on the victim network for cyber espionage operations. Because of this, Weaver Ant could "operate on servers within different network segments." These were mainly internal servers with no internet connection and accessed through servers reachable over the web that acted as operational gateways. The data they collected over more than four years of access to the victim's network includes configuration files, access logs, and credential data to map out the environment and target valuable systems. The threat actor targeted a major Asian telecommunications provider and proved to be resilient to multiple eradication attempts, according to the researchers at cyber technology and services company Sygnia. Sygnia says that its attribution is based on the use of Zyxel router models that are popular within specific geographic regions, the use of backdoors previously linked to Chinese threat groups, and the operation of Weaver Ant during GMT +8 business hours. Researchers investigating the intrusion found multiple variants of the China Chopper backdoor and a previously undocumented custom web-shell called ‘INMemory’ that executes payloads in the host’s memory. This technique routes traffic from one server to the next across distinct network segments, essentially creating a covert command-and-control (C2) network inside the victim’s infrastructure. Each shell acts as a proxy, passing nested and encrypted payloads to others for staged execution deeper inside the network. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. They also disabled logging mechanisms like ETW (Event Tracing for Windows) patching and AMSI bypasses (overwriting the ‘AmsiScanBuffer’ function in the ‘amsi.dll’ module) to keep a smaller footprint and remain undetected for a longer time.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 24 Mar 2025 17:55:06 +0000