Chinese hackers used a web shell tunnelling method to spy on a major Asian telecommunications company for more than four years, cyber-researchers have revealed.
Cybersecurity company Sygnia revealed a China-nexus threat actor group it named Weaver Ant had been quietly using sophisticated techniques including the China Copper web shell to spy on the unnamed company with “exceptional persistence”.
In its report on the discovery, Sygnia said: “Throughout this period, Weaver Ant adapted their TTPs to the evolving network environment, employing innovative methods to regain access and sustain their foothold.”
Discovered during remediation work for a different cyber attack, the Weaver Ant group used web shells, web server scripts providing remote access, such as China Copper and a previously unidentified ‘INMemory web shell’ to gain access to the systems.
The group then used “web shell tunneling”, a method that uses web shells as proxy servers to redirect HTTP traffic to a web shell on a different host, to gain access to internal servers and encrypted this traffic to hide the actions of its payloads.
See also: Backdoors and all-powerful admins: Telcos plead a clean bill of health after Salt Typhoon purge, but…
Sygnia said the group would load malicious modules directly into the memory of every host it compromised and compared the obfuscation methods used by Weaver Ant to a Russian nesting doll due to their multiple layers.
It said: “In this scenario, the malicious payloads were encapsulated in multiple layers of encryption and obfuscation, with each layer being ‘peeled back’ by the next-in-line web shell to reveal the subsequent payload for execution.”
Those payloads included modules to avoid detection by tampering with event logs and bypass Microsoft’s Antimalware Scan Interface, and a module to execute PowerShell commands without triggering monitoring tools.
After executing these modules, Weaver Ant was able to expand its access to servers not connected to the internet and retrieve web server access logs to harvest credentials and “identify high-privilege accounts and critical servers and add them to their target bank.”
While Sygnia revealed it had removed Weaver Ant’s access to the affected network, it said the group had been attempting to regain access and advised companies to improve credential hygiene, control management traffic, and strengthen web security to avoid similar breaches.
The attack offers a further warning to telco companies to clean up their cyber hygiene after the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) revealed Chinese hackers had gained access to systems at numerous US providers.
