A major telecommunications company located in Asia was allegedly breached by Chinese state-sponsored hackers who spent over four years inside its systems, according to a new report from incident response firm Sygnia.
The cybersecurity company is tracking the activity under the name Weaver Ant, describing the threat actor as stealthy and highly persistent. The name of the telecom provider was not disclosed.
“Using web shells and tunneling, the attackers maintained persistence and facilitated cyber espionage,” Sygnia said. “The group behind this intrusion […] aimed to gain and maintain continuous access to telecommunication providers and facilitate cyber espionage by collecting sensitive information.”
The attack chain is said to have involved the exploitation of a public-facing application to drop two different web shells, an encrypted variant of China Chopper and a previously undocumented malicious tool dubbed INMemory. It’s worth noting that China Chopper has been put to use by multiple Chinese hacking groups in the past.
INMemory, as the name implies, is designed to decode a Base64-encoded string and execute it entirely in memory without writing it to disk, thereby leaving no forensic trail.
“The ‘INMemory’ web shell executed the C# code contained within a portable executable (PE) named ‘eval.dll,’ which ultimately runs the payload delivered via an HTTP request,” Sygnia said.
The web shells have been found to act as a stepping stone to deliver next-stage payloads, the most notable being a recursive HTTP tunnel tool that is utilized to facilitate lateral movement over SMB, a tactic previously adopted by other threat actors like Elephant Beetle.
What’s more, the encrypted traffic passing through the web shell tunnel serves as a conduit to perform a series of post-exploitation actions, including –
- Patching Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI) to bypass detection
- Using System.Management.Automation.dll to execute PowerShell commands without initiating PowerShell.exe, and
- Executing reconnaissance commands against the compromised Active Directory environment to identify high-privilege accounts and critical servers
Sygnia said Weaver Ant exhibits hallmarks typically associated with a China-nexus cyber espionage group owing to the targeting patterns and the “well-defined” goals of the campaign.
This link is also evidenced by the presence of the China Chopper web shell, the use of an Operational Relay Box (ORB) network comprising Zyxel routers to proxy traffic and obscure their infrastructure, the working hours of the hackers, and the deployment of an Outlook-based backdoor formerly attributed to Emissary Panda.
“Throughout this period, Weaver Ant adapted their TTPs to the evolving network environment, employing innovative methods to regain access and sustain their foothold,” the company said. “The modus operandi of Chinese-nexus intrusion sets typically involves the sharing of tools, infrastructure, and occasionally manpower—such as through shared contractors.”
China Identifies 4 Taiwanese Hackers Allegedly Behind Espionage
The disclosure comes days after China’s Ministry of State Security (MSS) accused four individuals purportedly linked to Taiwan’s military of conducting cyber attacks against the mainland. Taiwan has refuted the allegations.
The MSS said the four individuals are members of Taiwan’s Information, Communications, and Electronic Force Command (ICEFCOM), and that the entity engages in phishing attacks, propaganda emails targeting government and military agencies, and disinformation campaigns using social media aliases.
The intrusions are also alleged to have involved the extensive use of open-source tools like the AntSword web shell, IceScorpion, Metasploit, and Quasar RAT.
“The ‘Information, Communications and Electronic Force Command’ has specifically hired hackers and cybersecurity companies as external support to execute the cyber warfare directives issued by the Democratic Progressive Party (DPP) authorities,” it said. “Their activities include espionage, sabotage, and propaganda.”
Coinciding with the MSS statement, Chinese cybersecurity firms QiAnXin and Antiy have detailed spear-phishing attacks orchestrated by a Taiwanese threat actor codenamed APT-Q-20 (aka APT-C-01, GreenSpot, Poison Cloud Vine, and White Dolphin) that lead to the delivery of a C++ trojan and command-and-control (C2) frameworks like Cobalt Strike and Sliver.
Other initial access methods entails the exploitation of N-day security vulnerabilities and weak passwords in Internet of Things devices such as routers, cameras, and firewalls, QiAnXin added, characterizing the threat actor’s activities as “not particularly clever.”
