Chinese APT Weaver Ant Targeting Telecom Providers in Asia

Cyber response firm Sygnia warns of a newly identified China-linked APT that relies on web shells for persistent access to telecommunications providers, for cyberespionage purposes.

Tracked as Weaver Ant, the threat actor was uncovered during the investigation into the hacking of a telecom provider in Asia, after a compromised account that had been disabled during remediation was re-enabled from an internal server.

The server had been compromised for years, and was infected with a China Chopper web shell, providing the threat actor with remote access and control over the system. Despite eradication efforts, Weaver Ant maintained access to the server for four years, adapting its techniques to changes in the environment.

Sygnia’s investigation led to the discovery of multiple web shells (PDF), including a China Chopper variant that supports AES encryption of the payload, capable of bypassing automated detection mechanisms, and a previously unseen web shell dubbed INMemory, which ...