A new cybersecurity report reveals a prolonged cyber espionage campaign by a China-nexus threat actor, dubbed “Weaver Ant,” that maintained persistent access to a major telecommunications provider for over four years.

This operation highlights the sophistication of state-sponsored cyber espionage,

  • Targeting critical telecommunications infrastructure
  • Demonstrating advanced persistent threat (APT) capabilities
  • Exploiting multiple technical vulnerabilities across network environments

Operational Characteristics

Time Zone: GMT +8
Work Pattern:Active during standard working hours and Avoided holidays.
Persistence: Maintained access for over four years
Adaptability: Quickly responded to eradication attempts

Attack Chain Breakdown

Attack Chain of Weaver Ant(Source: Sygina)

Initial Infiltration

The hackers’ primary weapon was a series of sophisticated “web shells” – small pieces of malicious code hidden on web servers that allow remote access and control. These weren’t just ordinary hacking tools. The group used two particularly innovative variants: an encrypted version of a well-known hacking tool called China Chopper and a custom “in-memory” web shell that could execute malicious code without leaving any trace on the computer’s hard drive.

Evasion and Persistence Mechanism

  • Keyword-based evasion techniques
  • Payload truncation to bypass security filters
  • Encryption to hide malicious content
  • Minimal, single-line code designs

Lateral Movement Techniques

  • Used compromised servers as proxy servers
  • Redirected traffic between different network segments
  • Enabled access to internal servers not directly connected to the internet
  • Forwarded requests between web servers
  • Supported both ASPX and PHP versions
  • Dynamically constructed and executed cURL commands

Reconnaissance and Information Gathering

The main objective is to Identify high-privilege accounts and Map critical server infrastructure.

    • Active Directory Enumeration

Commands used

    • Get-DomainUserEven
    • Get-DomainSubnet
    • Get-DomainUser
    • Get-NetSession

Credential Harvesting

    • Retrieved web server access logs
    • Extracted configuration files (web.config, applicationHost.config)
    • Collected clear-text credentials

Advanced Execution Techniques

  • PowerShell Without PowerShell
    • Leveraged System.Management.Automation.dll
    • Executed PowerShell commands without using PowerShell.exe
    • Bypassed traditional monitoring tools
  • Lateral Movement Methods
    • Used Invoke-SMBClient for remote interactions
    • Employed NTLM hash authentication
    • Accessed remote SMB shares
    • Deployed additional web shells on internal servers

Defense Evasion

  • Manipulated kernel-level tracing
  • Suppressed critical system logs
  • Overwrote AmsiScanBuffer function
  • Rendered security tool integrations ineffective
  • Allowed execution of malicious PowerShell commands

Data Exfiltration

  • Saved command outputs to C:\ProgramData
  • Compressed files using custom Invoke-ZIP function
  • Prepared for covert data transfer

Infrastructure Concealment

  • Utilized compromised Zyxel CPE routers
  • Primarily in Southeast Asian telecommunication providers
  • Used as traffic proxying infrastructure

Conclusion

This security breach highlights the persistent cybersecurity challenges that critical infrastructure faces, especially with sophisticated and adaptive tactics used by state-sponsored threat actors. It serves as a reminder of the importance of constant vigilance and stringent measures to protect sensitive environments from APTs.

Follow us on X and Linkedin for the latest cybersecurity news.