Critical Infrastructure Security,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
‘Weaver Ant’ Exploits Web Shell Tunneling and Hacked Routers to Avoid Detection
A sophisticated cyber espionage operation attributed to suspected Chinese actors infiltrated an Asian telecommunications network and operated undetected for four years. Researchers at incident response firm Sygnia discovered the covert operation, referring to the malicious actor as “Weaver Ant.” Evidence suggests a strong correlation with characteristics associated with state-sponsored cyber threats linked to China, including the use of the well-known China Chopper web shell and malicious activity patterns synchronized with Chinese time zones and holidays.
The operation utilized an array of compromised Zyxel customer premises equipment (CPE) routers to facilitate lateral movement within the network. Such tactics permit attackers to pivot between different compromised devices to exploit vulnerabilities in the wider telecom infrastructure, as outlined in earlier cybersecurity analyses.
Chinese hackers have previously been detected within telecom networks worldwide, including notable incursions that affected U.S. service providers by groups identified as Salt Typhoon. These actors have been known to employ a variety of web shells and backdoors that enable them to remain discreet while expanding their access within targeted environments. Their methods include strategic obfuscation, such as using terms like “password” and “key” in specially customized web shell code that eludes detection by security systems.
In addition to China Chopper, the attackers deployed another web shell called “INMemory Web Shell,” which permitted execution of malicious modules directly in memory. This allowed the infiltration of telecom systems via encrypted HTTP tunneling. The web shells also functioned as proxy servers, redirecting malicious traffic internally to further their network exploitation.
Researchers, faced with complex encryption techniques used to mask the traffic routed between these web shells, implemented advanced methods to capture and analyze data packets from compromised servers. The attackers embedded a hardcoded encryption key within their web shells, facilitating a layered approach to encoding their malicious payloads. Sygnia noted that their meticulous efforts allowed them to decrypt and unpack malicious instructions intended for execution on the targeted servers.
Over the course of their four-year campaign, the threat actors amassed significant intelligence, including configuration files and credential data, which helped them to construct a comprehensive map of the network and identify key target systems. They also circumvented security monitoring tools, employing techniques such as altering the AmsiScanBuffer function in Windows, thereby minimizing their digital footprint and prolonging their access to the network.
While Sygnia confirmed the removal of the threat actor from the affected network, they reported ongoing attempts by the group to regain access, indicating a persistent threat for organizations operating within the telecom sector.
