Weaver Ant APT Targeting a Telecommunication Company in Asia

Summary

synia uncovered a highly persistent cyber espionage campaign by a china-nexus threat actor, tracked as weaver Ant, targeting a major telecommunications provider in Asia. The group leveraged web shells-specifically an encrypted variant of china chopper and a previously unknown 'INMemory' web shell-to maintain stealthy, long -term access. Their operations were designed to exfiltrate sensitive data and enable lateral movement within the network, relying heavily on web shell tunneling for persistence. The campaign's discovery was triggered when a previously disabled compromised account was re-enabled, leading investigators to uncover a years-long infiltration. The investigation revealed that weaver Ant exclusively used web shells for remote code execution and sustained access, making detection challenging. By employing YARA rules and enrichment mechanisms, analysts identified multiple variants of these web shells deployed across compromised servers.

Vulnerability Details

China Chopper

China Chopper is a lightweight and highly effective web shell used by threat actors, primarily of Chinese origin, to gain remote access and control over compromised web servers. It provides functionalities such as file management, command execution, and data exfiltration while maintaining a minimal footprint to evade detection. The web shell’s small size, ease of use, and adaptability make it a favored tool for persistent access and further exploitation of targeted networks.

In the Weaver Ant campaign, an encrypted variant of China Chopper was widely used. This variant supported AES encryption to bypass automated detection mechanisms, particularly at the Web Application Firewall (WAF) level. Deployed on externally facing servers in ASPX and PHP, this variant enabled the threat actor to infiltrate and maintain control over compromised systems.

INMemory Web Shell

The INMemory web shell is a sophisticated and stealthy tool observed in the Weaver Ant campaign, designed for in-memory execution of malicious payloads. Unlike traditional web shells that write files to disk, this variant operates by decoding a hardcoded GZipped Base64 string into a Portable Executable (PE) named eval.dll and executing it directly in memory. This method enables the threat actor to evade forensic detection and persist within the compromised environment. The execution flow involves decoding, decompressing, and loading the PE file, which then executes attacker supplied payloads dynamically.

To further enhance stealth, the INMemory web shell leverages SHA256-based request header validation and multi-stage encoding (Base64 and UTF-8) to obscure payloads. It utilizes JScriptEvaluate, a function from the JScript library, to dynamically execute obfuscated code within the compromised web server. The Visual Studio for Applications (VSA) Engine compiles and runs payloads in real time, preventing security tools from detecting malicious files on disk. These advanced evasion techniques make the INMemory web shell a highly effective tool for persistent access, remote code execution, and stealthy lateral movement within targeted networks.

Recursive HTTP Tunnel Tool

The threat actor deployed minimalist web shells on compromised machines, often consisting of just a single line of code, such as a modified version of China Chopper. These web shells functioned as conduits for executing more sophisticated payloads to achieve specific objectives. Multiple types of payloads were observed, each serving a distinct purpose, with one of the most notable being a recursive HTTP tunnel tool.

The Recursive HTTP Tunnel Tool functioned as a second-stage web shell, enabling HTTP tunneling to access internal resources. It worked by forwarding requests to other web servers and supported both ASPX and PHP versions for broad compatibility. The tool dynamically constructed and executed cURL commands by decoding parameters (e.g., p1, p2, and f) from Base64. Key Functions:

● Decrypting its encrypted payload.

● Decoding and parsing Base64 parameters.

● Constructing HTTP requests or cURL commands dynamically.

● Executing payloads based on input parameters.

● Returning the response after forwarding the request.

Web shell tunneling is a technique that leverages multiple web shells as proxy servers to redirect inbound HTTP traffic to other compromised hosts for payload execution. This method allows threat actors, such as Weaver Ant, to operate across different network segments by using publicly accessible servers as gateways to internal systems. Unlike traditional web shells used for persistence or code execution, tunneling facilitates lateral movement and command and control without deploying additional tools. By utilizing HTTP/S traffic, this approach blends with legitimate web traffic, making detection more challenging.

Weaver Ant's implementation of web shell tunneling involved encrypting traffic between compromised servers to evade detection. By capturing and decrypting this traffic, investigators uncovered a multi-layered encryption mechanism, akin to a Matryoshka doll, where each web shell decrypted and forwarded payloads to the next stage. This layering of encryption and obfuscation helped the attackers remain stealthy while executing malicious commands deep within the network.

Weaver Ant conducted extensive reconnaissance within compromised Active Directory (AD) environments by executing various Invoke-SharpView commands against multiple Domain Controllers. These commands, such as Get-DomainUserEvent, Get-DomainSubnet, and Get NetSession, were used to enumerate domain users, network configurations, and active sessions. The objective was to identify high-privilege accounts and critical servers for further exploitation.

The collected reconnaissance data was saved in C:\ProgramData, then compressed using the Invoke-ZIP PowerShell function before exfiltration. A captured PowerShell transcript log revealed command executions that listed network computers and compressed files for stealthy data extraction. This method enabled Weaver Ant to systematically gather intelligence on the target network while maintaining operational security.

Recommendation

● Limit web-service accounts to the minimum privileges necessary to reduce potential attack surfaces.

● Implement ACLs and firewall rules to restrict management traffic between web servers and internal systems, particularly for SMB and HTTP/S.

● Utilize solutions like LAPS, gMSA, or PIM to enforce regular credential rotation and improve credential hygiene.

● Deploy EDR/XDR solutions to actively monitor memory for signs of malicious activity, including obfuscated in-memory web shells.

● Optimize WAF and logging configurations to detect obfuscated code patterns and behaviors associated with threats like China Chopper and in-memory web shells.

Conclusion

The Weaver Ant campaign demonstrated a highly sophisticated approach to network infiltration, leveraging minimalist web shells, HTTP tunneling, and layered encryption to maintain persistence and evade detection. By combining web shell tunneling with extensive reconnaissance techniques, the threat actor effectively navigated compromised environments, identifying critical assets while minimizing their footprint. The campaign's stealth, adaptability, and use of encrypted payloads highlight the evolving tactics of APTs in maintaining long-term access to targeted networks