Cyber response firm Sygnia warns of a newly identified China-linked APT that relies on web shells for persistent access to telecommunications providers, for cyberespionage purposes.
Tracked as Weaver Ant, the threat actor was uncovered during the investigation into the hacking of a telecom provider in Asia, after a compromised account that had been disabled during remediation was re-enabled from an internal server.
The server had been compromised for years, and was infected with a China Chopper web shell, providing the threat actor with remote access and control over the system. Despite eradication efforts, Weaver Ant maintained access to the server for four years, adapting its techniques to changes in the environment.
Sygnia’s investigation led to the discovery of multiple web shells (PDF), including a China Chopper variant that supports AES encryption of the payload, capable of bypassing automated detection mechanisms, and a previously unseen web shell dubbed INMemory, which supports the in-memory execution of payloads.
“Deployed primarily on externally facing servers, the encrypted China Chopper web shell was implemented in various programming languages, including ASPX and PHP. The compromised servers served as entry points, enabling the threat actor to infiltrate the victim’s network and establish persistent access,” Sygnia explains.
The analyzed China Chopper variant features keyword-based evasion, where keywords used as parameters names in the payload field resulted in firewalls automatically redacting the values in logs, and payload truncation, where the size of the payload was larger than the character limit supported by the firewall.
INMemory was observed decoding a hardcoded string into a portable executable and executing it entirely in memory, for detection evasion. It also uses Base64-encoded strings to obfuscate code and further evade detection.
After determining that Weaver Ant was still operating within the compromised network, Sygnia implemented stealth monitoring consisting of port mirroring and the automated decryption of tunneled web shell traffic, uncovering multiple payloads and persistence mechanisms on tens of servers.
“The threat actor deployed minimalist web shells on compromised machines – often consisting of just a single line of code, such as a modified version of China Chopper – the web shells served merely as conduits for executing more sophisticated payloads to achieve the actual objectives,” Sygnia explains.
Weaver Ant was also seen deploying a recursive HTTP tunnel tool that operated as a ‘second stage’ web shell, enabling access to internal resources, forwarding requests to other web shells, and constructing and executing cURL commands.
Using web shells as proxy servers “enabled Weaver Ant to operate on servers within different network segments – typically internal servers not directly connected to the internet- by leveraging existing publicly accessible servers as operational gateways,” Sygnia says.
The cybersecurity firm also discovered that payloads were “encapsulated in multiple layers of encryption and obfuscation”, being passed from a web shell to another, which used hardcoded keys to peel off the layers one-by-one.
The threat actor was also observed patching event tracing processes to suppress critical logs, and overwrote the AmsiScanBuffer function to render Antimalware Scan Interface integrations ineffective and ensure malicious PowerShell commands could be executed.
Weaver Ant leveraged a Windows module to execute PowerShell commands without launching the PowerShell process, and perform reconnaissance, lateral movement, and data exfiltration preparations. It also used the Invoke-SMBClient PowerShell module to interact with SMB shares, for lateral movement.
“Invoke-SMBClient was executed using valid credentials, leveraging high-privileged local or domain accounts with passwords that had not been rotated for years. Instead of clear-text passwords, the threat actor used NTLM hashes to invoke the tool,” Sygnia says.
The cybersecurity firm attributes the activity to a Chinese APT, based on tooling, techniques, and the attack times, noting that Chinese threat actors typically share tools among them, and that a different APT group may have planted false flags to prevent attribution.
Related: China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
Related: How China Pinned University Cyberattacks on NSA Hackers
Related: FCC Taking Action in Response to China’s Telecoms Hacking
Related: T-Mobile Shares More Information on China-Linked Cyberattack
