A newly identified China-nexus hacking group infiltrated the network of an Asian telecommunications service provider and remained undetected for more than four years, according to cyber threat detection and response provider Sygnia.
Sygnia believes that Weaver Ant could be part of a Chinese nexus tasked with infiltrating and collecting information from critical infrastructure for cyber espionage purposes alongside other groups, including Velvet Ant and Salt Typhoon (aka Ghost Emperor).
How Sygnia Discovered Weaver Ant
The Sygnia team discovered Weaver Ant during an investigation into a separate threat actor.
“Specifically, an account previously used by the threat actor was disabled as part of remediation efforts but was subsequently re-enabled by a service account. Notably, the activity originated from a server that had not been previously identified as compromised,” Sygnia noted in its report.
Further investigation uncovered a variant of the China Chopper web shell deployed on an internal server, which had been compromised for several years.
It appeared that the remediation of the first threat actor inadvertently disrupted the operations of another threat group, which Sygnia named Weaver Ant.
A range of indicators led Sygnia to attribute this threat actor to China, including its reliance on China Chopper web shell variants, its use of operational relay box (ORB) networks and its activity times, which match working times in the GMT +8 time zone.
Oren Biderman, Incident Response and Digital Forensic Team Leader at Sygnia commented: “Weaver Ant maintained activity within the compromised network for over four years despite repeated attempts to eliminate them from compromised systems. The threat actor adapted their techniques, tactics and procedures (TTPs) to the evolving network environment, enabling continuous access to compromised systems and the collection of sensitive information.”
Uncovering Weaver Ant’s TTPs
To infiltrate the Asia-based telecom company and gain access to sensitive data, Weaver Ant compromised Zyxel Customer Premises Equipment (CPE) home routers, using them as an entry point into the victim’s network.
The group also uses web shells and web shell tunneling as primary tools for maintaining persistence and enabling lateral movement throughout their operations.
The first, an encrypted China Chopper, allowed the group to gain remote access and control of web servers. Notably, variants of the China Chopper web shell support AES encryption of a payload, making it highly effective at evading detection at the Web Application Firewall level.
The second web shell used by Weaver Ant had no publicly available references to any known web shells. Sygnia researchers named it the ‘INMemory’ web shell.
INMemory leverages just-in-time (JIT) compilation and execution of code at runtime to dynamically execute malicious payloads without having to write them onto the disk.
Biderman believes that Weaver Ant’s “ability to leverage never-seen-before web shells to evade detection speaks to [the group’s] sophistication and stealthiness.”
While web shells are commonly used for persistence or code execution on a compromised host, they can also be utilized for lateral movement and command and control (C2) – a technique Sygnia refers to as web shell tunneling.
This method facilitates lateral movement within a compromised environment without the need to deploy additional tools on the compromised hosts.
Weaver Ant utilized web shell tunneling by leveraging multiple web shells as "proxy servers" to redirect inbound HTTP traffic to another web shell on a different host for payload execution.
This enabled the group to operate on servers within different network segments—typically internal servers not directly connected to the internet—by leveraging existing publicly accessible servers as operational gateways.
This method has been observed before, having been employed by various threat actors, including Elephant Beetle.
Weaver Ant's Persistence Complicated Monitoring
During the investigation, it became clear to Sygnia researchers that Weaver Ant was still operating within the compromised network.
This meant researchers had to avoid being noticed by the threat actor, which would have compromised the ongoing investigation and perhaps prompted the threat actor to alter or halt its operations temporarily.
Therefore, the implemented monitoring was not performed on the compromised machines themselves, as deploying a monitoring tool might alert the threat actor.
“Instead, we established a combination of port mirroring techniques and designed an architecture to automate the decryption and de-encapsulation of the tunneled web shell traffic,” the Sygnia researchers explained.
Since the end of its investigation, Sygnia has already detected Weaver Ant attempting to regain access to the telecom company’s network.
The threat detection and response company provided a more in-depth analysis of the findings in a detailed technical annex that accompanied its report.
Read now: Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds