Chinese ‘Web Shell Whisperer’ Leverages Shells and Tunnels to Establish Stealthy Persistence

A recent cyber espionage operation by a China-nexus threat actor, dubbed “Weaver Ant,” has been uncovered by Sygnia, a cybersecurity firm.

This sophisticated threat actor targeted a major telecommunications company in Asia, utilizing web shells and tunneling techniques to maintain persistent access and facilitate espionage.

The operation highlights the evolving tactics of state-sponsored groups in evading detection and achieving long-term network presence.

Stealthy Persistence Mechanisms

Weaver Ant primarily employed two types of web shells: an encrypted version of the China Chopper web shell and a novel ‘INMemory’ web shell.

The encrypted China Chopper variant uses AES encryption to bypass Web Application Firewall (WAF) detection, often deployed on externally facing servers to serve as entry points for network infiltration.

According to Sygnia Report, this web shell supports file management, command execution, and data exfiltration, making it a versatile tool for malicious activities.

The INMemory web shell, on the other hand, executes payloads entirely in memory, evading detection by traditional security measures.

It decodes a hardcoded GZipped Base64 string into a Portable Executable (PE) named ‘eval.dll’ and executes it dynamically using the JScript library.

The threat actor also employed a recursive HTTP tunnel tool to facilitate lateral movement and access internal resources.

This tool operates by forwarding requests to other web servers, supporting both ASPX and PHP versions for cross-platform compatibility.

It dynamically constructs and executes cURL commands based on decoded parameters, allowing seamless navigation across different web environments.

This adaptive tunneling mechanism enabled Weaver Ant to maintain operational flexibility and evade detection.

Defense Strategies

To counter such sophisticated threats, organizations must adopt a holistic defense approach.

This includes continuous monitoring, proactive response mechanisms, and systematic threat hunts.

Implementing stringent traffic controls and system hardening practices for both legacy and public-facing devices is crucial.

Additionally, stealth monitoring techniques, such as port mirroring and automated decryption of tunneled traffic, can help uncover hidden operations without alerting the threat actors.

By embracing these strategies, organizations can enhance their ability to detect and counteract persistent threats posed by state-sponsored groups like Weaver Ant.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free