Full Report
APT groups from China were ranked among the top global cyber threats alongside North Korea, russia, and Iran, showcasing heightened offensive capabilities and posing significant challenges to the cybersecurity landscape. Following the recent revelation of the Operation AkaiRyū by MirrorFace (aka Earth Kasha), China-nexus attackers are striking again. This time, security researchers report about the […] The post Weaver Ant Attack Detection: China-Linked Group Targets a Telecom Provider in Asia Using Multiple Web Shells, Including China Chopper appeared first on SOC Prime.
Analysis Summary
# Threat Actor: Weaver Ant
## Attribution & Identity
The threat actor is a China-linked group, often categorized as an Advanced Persistent Threat (APT). No specific historical aliases are detailed in this snippet, but the group is collectively referred to as "Weaver Ant."
## Activity Summary
The most recently described activity involves a cyber-espionage campaign targeting a **Telecom Provider in Asia**. The focus of the activity was harvesting configuration files, logs, and credentials over **four years** to map the environment and target key systems, indicating a long-term persistence objective.
## Tactics, Techniques & Procedures
- Use of multiple **Web Shells** for initial access and persistence.
- Deployment of the popular web shell **China Chopper**.
- Deployment of a custom web shell named **"INMemory,"** which operates by decoding a hardcoded GZipped Base64 string into a Portable Executable (PE) called `eval.dll` and executing it entirely **in memory** to evade detection.
- **Lateral Movement** utilizing **SMB shares**.
- Authentication via **NTLM hashes** using long-standing high-privileged accounts.
## Targeting
- Sectors: **Telecom Provider** (focused on network intelligence).
- Geography: **Asia** (specific targeting of one provider).
- Victims: A **Telecom Provider** in Asia (no specific organization names provided).
## Tools & Infrastructure
- Malware families used: **China Chopper** (web shell), custom **"INMemory"** web shell.
- Infrastructure: The actor leveraged **SMB shares** for lateral movement. (No specific C2 domains or IPs were detailed in the provided text).
## Implications
Weaver Ant exhibits patient, state-sponsored espionage objectives, focusing on achieving **continuous access to network intelligence and telecom infrastructure** rather than typical data theft. Their use of in-memory execution (`eval.dll`) and long-term persistence (four years of activity) indicates a **high level of sophistication** requiring robust, in-depth detection capabilities.
## Mitigations
- Implement **internal network traffic controls**.
- Enable **full IIS and PowerShell logging** for better visibility.
- Enforce **least privilege principles**.
- **Rotate user credentials frequently**.
- Monitor for suspicious activity related to **SMB file sharing** and **NTLM hash usage** for lateral movement.