.webp?w=1068&resize=1068,580&ssl=1 "Web Shell Whisperer")
A recent cybersecurity investigation by Sygnia has uncovered a sophisticated operation by a China-nexus threat actor, dubbed the “Weaver Ant,” which has been using web shells and tunneling techniques to maintain long-term access to a major telecommunications provider in Asia.
This operation highlights the evolving tactics of state-sponsored groups in achieving persistent cyber espionage.
Persistent Threat through Web Shells
Weaver Ant primarily utilizes two types of web shells: an encrypted version of the China Chopper web shell and a novel ‘INMemory’ web shell.
The encrypted China Chopper is a lightweight tool that supports AES encryption, making it effective at bypassing Web Application Firewall (WAF) detection mechanisms.
Deployed on externally facing servers, it serves as an entry point for the threat actor to infiltrate the network.
The INMemory web shell, on the other hand, executes malicious payloads entirely in memory, evading detection by traditional security measures.
It decodes a hardcoded GZipped Base64 string into a Portable Executable (PE) named ‘eval.dll’ and executes it without writing it to disk.
The use of these web shells allows Weaver Ant to maintain persistence and facilitate lateral movement within the compromised network.
The threat actor leverages web shell tunneling, a technique where multiple web shells act as proxy servers to redirect HTTP traffic to other web shells on different hosts.
This enables access to internal servers not directly connected to the internet, enhancing operational flexibility and evasion capabilities.
Stealth Monitoring and Evasion Techniques
To investigate this advanced persistent threat, Sygnia employed stealth monitoring techniques, including port mirroring and automated decryption of tunneled web shell traffic.
This approach helped uncover a large-scale operation involving dozens of web shells across tens of servers.
According to the Report, The threat actor’s use of keyword-based evasion and payload truncation further complicated the forensic analysis, as many WAFs redact or mask specific keywords in logs, and payload sizes exceeded WAF logging limits.
The discovery of Weaver Ant’s tactics underscores the need for robust defense strategies against state-sponsored threats.
Organizations must adopt a holistic approach that includes continuous monitoring, proactive response mechanisms, and stringent traffic controls to enhance their ability to detect and counteract such persistent threats.
By understanding these sophisticated techniques, cybersecurity professionals can better prepare to face the evolving landscape of cyber espionage.
.webp?w=1200&resize=1200,0&ssl=1&description=A%20recent%20cybersecurity%20investigation%20by%20Sygnia%20has%20uncovered%20a%20sophisticated%20operation%20by%20a%20China-nexus%20threat%20actor.){kind=link}