Ethical Hacking News
A Chinese-linked advanced threat group known as Weaver Ant managed to infiltrate the network of a major Asian telecommunications provider over the course of four years. The hackers leveraged an operational relay box (ORB) network made primarily of Zyxel CPE routers, used AES-encrypted variants of web shells, and employed sophisticated techniques like web shell tunneling to evade detection. This highlights the ongoing threat posed by state-sponsored actors seeking to exploit vulnerabilities in telecom infrastructure for espionage purposes.
Chinese hackers known as Weaver Ant infiltrated a major Asian telecommunications provider's network over four years.Weaver Ant used an operational relay box (ORB) network and AES-encrypted web shell to bypass firewall restrictions.The hackers introduced a custom-built web shell, INMemory, which leveraged DLL for stealthy 'just-in-time code execution' and evaded detection by traditional security software.Weaver Ant employed web shell tunneling to create a covert command-and-control network within the victim's infrastructure.The hackers used tactics like disabling logging mechanisms and AMSI bypasses to remain undetected.Weaver Ant targeted valuable systems, used high-privileged accounts with the same password for years, and harvested credential information.The hackers' goal was focused on network intelligence, credential harvesting, and continuous access to telecom infrastructure, consistent with state-sponsored espionage goals.
The world of cybersecurity is constantly evolving, and recent events have once again highlighted the importance of vigilance when it comes to protecting sensitive information. A particularly concerning example of this can be seen in the case of Chinese hackers known as Weaver Ant, who managed to infiltrate the network of a major Asian telecommunications provider over the course of four long years.
According to researchers at Sygnia, the company behind the investigation, Weaver Ant leveraged an operational relay box (ORB) network made primarily of Zyxel CPE routers to proxy traffic and conceal infrastructure. This network allowed the hackers to establish a foothold on the victim's network by using an AES-encrypted variant of the China Chopper web shell, which enabled remote control of servers while bypassing firewall restrictions.
As the operation matured, Weaver Ant introduced a more advanced, custom-build web shell known as INMemory, which leveraged a DLL (eval.dll) for stealthy 'just-in-time code execution.' This web shell was notable not only for its sophistication but also for its ability to evade detection by traditional security software. The hackers also used the technique of "web shell tunneling," where multiple web shells were linked together to create a covert command-and-control network within the victim's infrastructure.
The use of this technique allowed Weaver Ant to operate on servers within different network segments, with the majority of these being internal servers with no internet connection that could only be accessed through servers reachable over the web. This approach enabled the hackers to maintain a low profile and avoid detection for an extended period.
Researchers at Sygnia also noted that Weaver Ant employed various tactics to remain undetected, including disabling logging mechanisms like ETW (Event Tracing for Windows) patching and AMSI bypasses (overwriting the 'AmsiScanBuffer' function in the 'amsi.dll' module). This allowed the hackers to keep a smaller footprint and remain hidden from security software.
The data exfiltration methods used by Weaver Ant were also noteworthy, with the hackers using passive network traffic capturing via port mirroring to minimize the risk of detection. Additionally, the researchers observed that Weaver Ant targeted valuable systems within the victim's network and utilized high-privileged accounts that had the same password for years, often authenticated via NTLM hashes.
The investigation revealed that Weaver Ant was more focused on network intelligence, credential harvesting, and continuous access to telecom infrastructure rather than stealing user data or financial records. This behavior is consistent with state-sponsored espionage goals.
In light of these findings, researchers at Sygnia have emphasized the importance of applying internal network traffic controls, enabling full IIS and PowerShell logging, applying least privilege principles, and rotating user credentials frequently to defend against this advanced threat.
Related Information:
https://www.ethicalhackingnews.com/articles/Chinese-Weaver-Ant-Hackers-Spent-Four-Years-Spying-on-Telco-Network-ehn.shtml
https://www.bleepingcomputer.com/news/security/chinese-weaver-ant-hackers-spied-on-telco-network-for-4-years/
Published: Mon Mar 24 15:22:22 2025 by llama3.2 3B Q4_K_M
