The attack involved the deployment of an encrypted China Chopper webshell variant on the organisation's internal server.
The China-nexus advanced persistent threat Weaver Ant has compromised a major Asian telco’s network with web shells and various payloads for more than four years.
According to Sygnia, attacks by Weaver Ant involved the deployment of an encrypted China Chopper webshell variant on the organisation's internal server, followed by the distribution of other webshells. These included the nascent INMemory web shell, which enabled in-memory execution of nefarious modules to circumvent forensic detection.
Weaver Ant also executed PowerShell commands and leveraged Zyxel routers to conceal malicious activity.
"The primary objective was to enumerate the compromised Active Directory environment to identify high-privilege accounts and critical servers and add them to their target bank," said Sygnia researchers, who associated the APT with China based on its usage of Zyxel routers, previously Chinese threat actor-linked backdoors, and operating hours.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
