China-nexus advanced persistent threat Weaver Ant has compromised a major Asian telecommunications services provider's network with web shells and various payloads for more than four years as part of its cyberespionage efforts, according to Security Affairs.
Attacks by Weaver Ant involved the deployment of an encrypted China Chopper web shell variant on the organization's internal server followed by the distribution of other webshells, including the nascent INMemory web shell, which enabled in-memory execution of nefarious modules to circumvent forensic detection, a report from Sygnia revealed. Aside from using a recursive HTTP tunnel tool for lateral movement, Weaver Ant also executed PowerShell commands and leveraged Zyxel routers to conceal malicious activity. "The primary objective was to enumerate the compromised Active Directory environment to identify high-privilege accounts and critical servers and add them to their target bank," said Sygnia researchers, who associated the APT with China based on its usage of Zyxel routers, previously Chinese threat actor-linked backdoors, and operating hours.
