Weaver Ant uploaded malicious scripts, known as web shells, onto target servers, allowing them to be controlled remotely through command-line interfaces or text-based systems rather than graphical ones with cursors and buttons, such as those on personal computers, according to the Sygnia report.
It said the China-nexus entity then used these web shells to create discrete communication channels or “tunnels” between itself and the unnamed telecom company’s machines.
Sygnia said it became aware of the intrusions when it received alerts of “suspicious activities” from a profile that was disabled in an earlier bid to stem the operations of a threat actor.
This profile was located on a server that had not been “previously identified as compromised” and was reactivated by a service account.
A service account is an automated, nonhuman profile with elevated privileges that performs background tasks, such as running applications, scripts, or services on a server or network.
“The text-based payload is so simple and short that an attacker could type it by hand right on the target server—no file transfer needed,” the Google subsidiary said in the explainer.
The second web shell detected by Sygnia “had no publicly available references” and “enables in-memory execution of malicious modules” and was thus named “INMemory.”
Through these discoveries, Sygnia deduced that two threat actors were working in tandem and that by disabling the first account, the telecom company hindered the second actor’s operations.
The cyber incident response company noted that it discovered “dozens of similar web shells” and that the operation prioritized “persistent access” while relying exclusively on these malicious scripts.
The threat actors not only exploited the web shells to access nodes they infected but also used them to expand their operations laterally—to other aspects of the network through what Sygnia describes as an “intricate tunneling process.”
The report further notes that Sygnia’s efforts were challenged by the threat actor’s defense evasion techniques, which comprised strategically placed words such as “password,” “key,” and “pass.”
These keywords triggered a redaction function in the network’s firewall, making the data siphoned off “difficult to monitor or analyze.”
Another challenge to Sygnia’s damage control efforts was the character limit on the affected network’s firewall solution, which prevented them from establishing specifics of the data stolen from the network.
The Sygnia report notes that Weaver Ant “focused on specific industries and geographic locations that align with China’s cyber strategy,” that its operations were guided by “well-defined objectives,” that it relied primarily on “China Chopper web shell variants,” and that it “carried out malicious activities primarily with the GMT +8 time zone, operating on regular working days while avoiding weekends and holidays.”
It further notes that the threat actor “targeted compromised Zyxel CPE routers” favored by Southeast Asian telecommunications providers and manufactured in Taiwan, while it also used backdoors previously associated with Chinese advanced persistent threat (APT) actors Cybereason and TrendMicro.
“Weaver Ant demonstrated exceptional persistence, maintaining activity within the compromised network for over four years, despite multiple eradication attempts,” the report reads.
Sygnia said in the report that it operates under the “assumption that Weaver Ant is a highly capable and persistent APT,” and that “given their focus on espionage, it was deemed highly likely that they would attempt to resume operations.” As Sygnia expected, Ant Weaver had indeed tried again.
“The monitoring efforts proved effective—Weaver Ant were detected attempting to regain access to the victim’s network,“ the report reads. ”Sygnia has been closely tracking and investigating their renewed activity.”
A follow-up report on the hacker group’s “‘upgraded’ modus operandi and tools” will also be published, the report noted.
