A China-linked threat actor has secretly had access to a major telecom provider in Asia for years without leaving a trace.
Weaver Ant, a China-linked threat actor, has been uncovered conducting a sophisticated campaign to steal data from a major telecom provider in Asia.
The large-scale forensic investigation made by Sygnia, a cybersecurity firm, reveals that cybercriminals aimed to continuously access sensitive data for espionage purposes. The report does not reveal the name of the company affected.
The security team has uncovered that web shells – malicious scripts embedded in compromised web servers – were deployed on an internal server, sustaining the threat actor’s foothold within the compromised network for over four years.
Weaver Ant’s modus operandi
The findings showed that the entire campaign relied exclusively on web shells for persistent access to the victim’s systems. The threat actor deployed minimalist web shells on compromised machines, often consisting of just a single line of code.
The two primary web shells used in the operation were encrypted China Chopper and a web shell with no publicly available references, which Sygnia named “INMemory.”
The INMemory web shell is dangerous as it executes malicious payload entirely in memory, leaving no trace on the disk. It worked in tandem with a version of China Chopper web shell, a lightweight but powerful tool originally developed by Chinese threat actors.
This shell offers functionalities such as file management, command execution, and data exfiltration while being highly effective at bypassing automated payload detection mechanisms. The threat actor strategically used generic keywords like “password” and “key” as parameter names to disguise malicious payloads.
The use of web shells enabled both remote code execution and lateral movement through so-called web shell tunneling, a technique that used compromised web servers as proxy nodes to move laterally within the network.
This allowed the attackers to bypass perimeter defenses by routing commands through multiple web shells and executing commands across multiple servers.
After identifying the malicious web shells, investigators removed them from compromised hosts.
Chinese-linked threat actors are causing trouble
Chinese state-sponsored threat actors have been actively targeting companies with web shells.
The threat actor known as Volt Typhoon or Bronze Silhouette exploited a zero-day vulnerability in software used by many internet service providers and computer network management companies by injecting web shell code and stealing credentials.
Previously, the Volt Typhoon threat actor was identified by the US government agencies as hijacking and lurking in many American routers for years.
Meanwhile, a Ghost ransomware ring tied to China has been compromising organizations that use outdated software and firmware versions.
Ghost indiscriminately breached schools, hospitals, critical infrastructure, religious institutions, manufacturing companies, and numerous small and medium-sized businesses by injecting web shells that helped to deliver malicious payloads.
Your email address will not be published. Required fields are markedmarked