Pierluigi Paganini
March 24, 2025
The China-linked threat actor Weaver Ant infiltrated the network of a telecom provider in Asia for over four years.
During a forensic investigation, Sygnia researchers observed multiple alerts that revealed a re-enabled threat actor account by a service account from an unidentified server. Further analysis uncovered a China Chopper web shell on an internal server, compromised for years. This led to the discovery of Weaver Ant’s activity, a China-linked group using web shells for persistence, remote code execution, and lateral movement through tunneling.
The experts detected multiple web shells, including a previously unknown one dubbed “INMemory”. The China Chopper web shell, originally developed by Chinese threat actors, enables remote access and control over compromised web servers, facilitating persistent access, command execution, and data exfiltration.
The encrypted China Chopper variant, frequently used by the attackers, employed AES encryption to evade detection by Web Application Firewalls (WAFs). It was deployed on externally facing servers using ASPX and PHP, serving as an entry point for network infiltration. This encryption allowed the attackers to bypass automated detection mechanisms, making forensic analysis challenging.
Two key evasion techniques hindered the investigation. First, attackers used specific keywords, such as “password” and “key,” in the payload, which WAFs typically redact in logs, obscuring the malicious content. Second, the transmitted payload often exceeded the character limits of logging mechanisms, resulting in truncated data that made full forensic reconstruction difficult. These strategies ensured stealthy, persistent access to compromised systems.
The INMemory web shell allows attackers to execute malicious modules in memory, avoiding disk-based detection. It decodes a hardcoded GZipped Base64 string into a PE file, ‘eval.dll,’ and executes it dynamically. The web shell obfuscates code using Base64-encoded strings and validates HTTP request headers via SHA256 hash comparison. If a match is found, it encodes the payload in Base64 and UTF-8 before executing it using ‘JScriptEvaluate,’ leveraging the JScript library for dynamic execution. This technique enhances stealth by preventing forensic analysis and signature-based detection, allowing attackers to persist undetected in compromised environments.
One notable tool was a recursive HTTP tunnel, enabling web shell tunneling for lateral movement. This method leveraged compromised web servers as proxies to relay HTTP/S traffic, accessing internal resources without deploying additional tools. By dynamically constructing and executing cURL commands, the tunneling mechanism allowed the attacker to navigate segmented networks stealthily. Since communication occurred over expected web traffic, it blended in with legitimate activity, making detection difficult while facilitating command and control across compromised environments.
Weaver Ant deployed multiple payloads to evade detection, maintain persistence, and expand access within compromised networks. They patched the Event Tracing for Windows (ETW) to suppress event logs and bypassed the Antimalware Scan Interface (AMSI) by modifying ‘amsi.dll’, allowing malicious PowerShell execution. They also ran PowerShell commands via ‘System.Management.Automation.dll’ without using PowerShell.exe, avoiding detection. For lateral movement, they leveraged SMB with NTLM hashes, deploying additional web shells and extracting credentials from IIS configuration files.
“As part of its reconnaissance efforts, Weaver Ant executed various ‘Invoke-SharpView’ commands against multiple Domain Controllers within the same Active Directory (AD) Forest. These commands included: ‘Get-DomainUserEvent’, ‘Get-DomainSubnet’, ‘Get-DomainUser’, ‘Get-NetSession’ etc.” reads the report published by Sygnia. “The primary objective was to enumerate the compromised Active Directory environment to identify high-privilege accounts and critical servers and add them to their target bank. “
The researchers believe Weaver Ant is a nation-state actor specializing in long-term network access for cyber espionage. The group focuses on network intelligence, credential harvesting, and persistent access to telecom infrastructure, its operations align with state-sponsored espionage objectives.
Sygnia attributes its activities to China based on the use of Zyxel routers operated by Southeast Asian telecommunication providers, backdoors linked to Chinese groups, and operations during GMT +8 business hours.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
