Weaver Ant, a threat actor from China, was discovered to have infiltrated a major telecommunications provider. By using web shells and tunneling, the attackers maintained their presence and conducted cyber espionage for four years.

General Introduction

From a few suspicious alerts during the forensics phase, security researchers uncovered a serious incident. Specifically, an account previously used by a hacker group had been disabled but was later reactivated by a service account. Notably, this activity originated from a server that had not been previously identified as compromised.

Further investigation revealed a variant of the China Chopper web shell on an internal server that had been compromised for years. It seems that the removal of the first hacker group inadvertently disrupted the activities of a second group, also linked to China, tracked by security researchers under the name Weaver Ant.

This discovery prompted a large-scale digital forensic investigation, including the hunt for other web shell variants. Using YARA rules and other data enrichment mechanisms, the investigation team identified dozens of similar web shells. The investigation uncovered a complete campaign entirely dependent on web shells to maintain persistent access, enable remote code execution, and facilitate lateral movement through complex tunneling techniques.

Web Shell Analysis

During the web shell tracing process, numerous web shell samples were discovered, prompting the investigation team to conduct thorough classification. Analysis showed that the hacker group primarily used two different types of web shells: one classified as Encrypted China Chopper, and the other with no public reference, named INMemory web shell by Sygnia.

Encrypted China Chopper

Characteristics of the Encrypted China Chopper Web Shell

The China Chopper web shell is a compact tool that allows attackers to remotely access and control compromised web servers. Developed by Chinese hacker groups, this tool provides functions such as file management, command execution, and data extraction. Its small size and stealth capabilities make China Chopper an ideal tool for maintaining long-term access, supporting deeper exploitation, and evading defensive solutions. Additionally, its flexibility and ease of use have made it a popular choice for conducting various malicious activities on target systems.

The web shell used by the hacker group is a variant of China Chopper that supports payload encryption using the AES algorithm. Despite its simple and user-friendly functionality, this web shell is highly effective in bypassing malicious payload detection mechanisms by Web Application Firewalls (WAF).

The encrypted China Chopper web shell is primarily deployed on internet-facing servers and is written in various programming languages such as ASPX and PHP. These compromised servers serve as entry points, allowing attackers to infiltrate the victim's network and establish long-term access.

Image 1. China Chopper Encrypted version written in ASPX

Image 2. China Chopper Encrypted version written in PHP

Investigation Challenges with Encrypted China Chopper

Two characteristics of the encrypted web shell pose challenges in the forensic investigation:

• Keyword-based Evasion: The attackers deliberately used specific keywords as parameter names in the payload, such as 'password', 'key', and 'pass'. This technique helps evade detection, as many WAF systems automatically obscure or mask these words in logs. Consequently, the actual content of the payload is concealed, making monitoring or data analysis difficult.

• Payload Truncation: The payload size exceeds the character limit that WAF can log, resulting in incomplete data logging. This hinders the reconstruction of the full payload, complicating the investigation.

INMemory Web Shell

Characteristics of the INMemory Web Shell

The second type of web shell observed in this attack allows the execution of malicious modules directly in memory.

This web shell operates by decoding a GZIP-compressed Base64 string into an executable file (PE) named 'eval.dll' and executing it entirely in memory to evade detection. The in-memory execution process involves the following steps:

1. Decode the Base64-encoded string into a byte array.

2. Create a memory stream to store the encoded bytes (memoryStream2).

3. Decompress the memory stream into a GZIP stream.

4. Write the decompressed bytes into a new memory stream and convert them into a byte array.

5. Load the decoded and decompressed byte array using 'Assembly.Load', executing the payload without writing to disk.

To evade detection, the web shell also obfuscates code using Base64-encoded strings. A function named 'invoke' is executed in the web shell using two encoded strings:

• 'RVZBTC5lYW5kbGVy' → Decodes to 'EVAL.Handler' (where 'EVAL' is the namespace, 'Handler' is the class).

• 'SW52b2tl' → Decodes to 'Invoke', the specific function in the malicious payload.

Image 3. ‘INMemory’ version written in ASPX

Execution with 'eval.dll'

The INMemory web shell executes C# code contained in the 'eval.dll' executable file, which runs when a payload is sent via an HTTP request. This PE is embedded in the web shell as a GZIP Base64 string and stored in the variable 'b'.

When executed, the web shell calls the 'Invoke' function, passing parameters from the HTTP request along with a fixed SHA256 hash. This function performs the following steps:

1. SHA256 Hash Matching: a. The 'Invoke' function calculates the SHA256 hash from each HTTP request header. b. Compares the calculated value with the fixed SHA256 hash.

2. Payload Encryption & Execution: a. If the HTTP request header matches, the content is encrypted in two layers: i. Stage 1: Base64 encoding ii. Stage 2: UTF-8 encoding b. Finally, the encrypted content is executed using the 'JScriptEvaluate' function from the JScript library, allowing dynamic payload execution.

The use of SHA256-based header authentication and multi-layer encryption enhances the web shell's evasion capabilities, making digital investigation challenging. The 'JScriptEvaluate' function further complicates matters as it allows the execution of obfuscated code or dynamic payloads in the compromised environment without writing to disk.

Monitoring Attacker Behavior

During the web shell scanning process, it became clear that the Weaver Ant group was still active in the compromised network. To investigate a threat without disrupting progress or alerting the hacker group, the investigation team implemented stealth monitoring.

Monitoring was not conducted directly on compromised machines, as deploying monitoring tools could alert the hacker group. Instead, the investigation team used port mirroring techniques and designed an architecture to automate the decryption and unpacking of web shell traffic.

By merging real-time data from various log sources — including HTTP requests and raw responses — the investigation team identified multiple payloads deployed by the hacker group and uncovered a large-scale campaign using access persistence mechanisms on dozens of servers.

The hacker group deployed simple web shells on compromised servers — often just a single line of code, such as a modified version of China Chopper — and these web shells served as intermediaries to execute more complex payloads. The investigation team discovered various payload types with specific purposes, most notably a recursive HTTP tunneling tool.

Recursive HTTP Tunneling Tool

This tool acts as a second-stage web shell, enabling HTTP tunneling to access internal resources. It forwards requests to other web servers and supports both ASPX and PHP versions, ensuring broad compatibility.

The tool decodes parameters (e.g., 'p1', 'p2', 'f') to dynamically create and execute cURL commands based on the execution flow.

Steps in the tunneling mechanism include:

• Decode the payload encrypted by the recursive tunneling tool

• Decode 'p1' and 'p2' parameters from Base64

• Parse parameters to reconstruct HTTP requests or cURL commands

• Dynamically build and execute the payload based on input

• Return the response from the server after forwarding the request

This adaptive tunneling mechanism allows the hacker group to easily navigate between different web environments and maintain operational flexibility.

Image 4. Code snippet from the recursive HTTP tunneling tool PHP version.

What is Tunneling in Web Shells?

Web shells are typically used to maintain access or execute code on compromised systems. However, they can also be used for lateral movement and system control. This technique is called Web Shell Tunneling.

Web shell tunneling is a technique that uses multiple web shells as "proxy servers," forwarding HTTP traffic to another web shell on a different server to execute payloads. This method allows the Weaver Ant group to operate across multiple servers in different network segments — often internal servers not directly connected to the internet — by leveraging public servers as gateways.

This technique has been used by various hacker groups, such as Elephant Beetle. The main advantage of this technique is that it allows the attack group to move laterally within the compromised system without deploying additional tools on target servers.

Image 5. Web Shell Tunneling flow.

Another benefit is that the traffic is sent over HTTP/S, making their activities appear legitimate, as compromised servers often serve web services, and incoming traffic is normal.

To implement this method, attackers need the ability to generate HTTP/S traffic from the compromised server — through built-in web shell functions or custom-designed payloads. Once achieved, the web shell can act as a proxy server, forwarding packaged command traffic to other servers.

Unpacking Malicious Behavior

Traffic transmitted through web shell tunneling techniques is encrypted. To support forensic investigation, the investigation team used port mirroring techniques to capture all data packets passing through one of the compromised servers. This allowed them to reconstruct the entire traffic received from the Weaver Ant group in decrypted form, enabling them to trace the behavior of the payloads.

Since the payloads are symmetrically encrypted with a hardcoded key embedded in the web shell, the incident response (IR) team developed an automated system to decrypt every new payload received by the web shell.

This mechanism allows "unpacking" each layer of encryption and obfuscation in the payload code, thereby recovering the commands or binary code that the hacker group intends to execute on the server. Weaver Ant sometimes sends only the 'p1' parameter, but also occasionally sends both 'p1' and 'p2' — with 'p2' serving to transmit a second payload to another web server, creating a chain of forwarding between web shells.

The hacker group's method is likened to a Matryoshka doll, where each layer conceals a more important layer inside. In this case, the malicious payloads are wrapped in multiple layers of encryption and obfuscation, with each layer being unpacked by the next web shell to reveal the next payload. This layering helps the hacker group conceal their intentions until the final payload is revealed, much like the smallest doll nestled deep within the nested dolls.

After fully unpacking, the investigation team realized that Weaver Ant deployed various payloads with distinct functions. These payloads demonstrate the sophistication and stealth capabilities of the attack group, enabling them to achieve their objectives while avoiding detection and maintaining long-term access to the system.

Evasion through ETW Patch & AMSI Bypass

To avoid detection, Weaver Ant employs evasion techniques whenever they operate on compromised systems by loading malicious modules directly into memory.

• ETW (Event Tracing for Windows) is a kernel-level logging mechanism in Windows used to track system events. The attack group modified these tracking processes, disrupting or removing critical logs like Sysmon, helping them evade monitoring.

• AMSI (Antimalware Scan Interface) is an interface that allows applications to integrate with antimalware software. The hacker group overwrote the AmsiScanBuffer function in the amsi.dll module, rendering security solutions like EDR and antivirus ineffective, allowing malicious PowerShell commands to execute unimpeded.

PowerShell without PowerShell

Weaver Ant also uses a technique that leverages the Windows module System.Management.Automation.dll to execute PowerShell commands without launching the PowerShell.exe process. This is the core component controlling PowerShell operations in Windows.

This allows attackers to perform reconnaissance, lateral movement, and data extraction tasks without triggering monitoring tools that rely on detecting the PowerShell.exe process. This helps the hacker group bypass behavior-based and signature-based defenses, significantly reducing the risk of detection.

Lateral Movement through SMB

Using the PowerShell without PowerShell technique, the hacker group employs the PowerShell module Invoke-SMBClient to conduct reconnaissance and lateral movement from the compromised web server to other servers within the internal network.

• Invoke-SMBClient is a module that allows interaction with SMB shares, performing tasks such as listing shares, uploading files, and executing remote commands.

This enables the hacker group to install additional web shells on multiple web servers, expanding the infiltration area and creating new access points within the internal network.

• They use valid credentials, exploiting high-privilege accounts or passwords that have not changed for a long time. Instead of plaintext passwords, this group uses NTLM hashes to activate the tool.

During lateral movement, they collect access logs and configuration files such as web.config, applicationHost.config from IIS servers. The goal is to gather clear-text login information, understand server operations, and determine if it serves external users.

Image 6. Web shell deployment chain.

Reconnaissance Activities

Weaver Ant uses Invoke-SharpView commands to conduct reconnaissance on Domain Controllers within the same Active Directory (AD) Forest. Examples include:

• Get-DomainUserEvent

• Get-DomainSubnet

• Get-DomainUser

• Get-NetSession

The main objective is to enumerate the compromised AD environment, identify high-privilege accounts and critical servers, and compile a target list.

The results of these commands are typically saved as files in C:\ProgramData, then compressed using the PowerShell function Invoke-ZIP before extraction.

Recommendations for Tracking Weaver Ant

• Enable IIS logging and forward logs to a SIEM system, configure the X-Forwarded-For (XFF) header

  • Monitor disruptions or stoppages in log collection

• Monitor web page creation processes from server processes (such as w3wp.exe, tomcat6.exe)

• Monitor command execution from web server processes (w3wp.exe, tomcat6.exe)

• Monitor HTTP requests with unusually large payloads

• Monitor unusual parameters in HTTP requests

• Enable PowerShell transcript logging to record and analyze suspicious behavior

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this attack campaign:

• Limit Privileges: Restrict web service account privileges to the minimum necessary.

• Control Administrative Traffic: Use ACLs and firewalls to restrict administrative traffic between web servers and internal systems (especially SMB and HTTP/S).

• Ensure Account Hygiene: Implement LAPS, gMSA, or PIM solutions to change passwords periodically.

• Enhance Detection: Deploy EDR/XDR to monitor memory for malicious activities, including in-memory web shells.

• Strengthen Web Security: Fine-tune WAF and logging systems to detect obfuscated code and unusual behavior related to China Chopper or INMemory web shells.

• Secure Data Backups: Ensure regular offline backups to recover data in case of encryption or data loss due to malware.

• System Updates: Always apply security patches for operating systems, applications, and firmware to protect devices from known vulnerabilities.

References

• Weaver Ant, the Web Shell Whisperer: Tracking a Live China-nexus Operation