FOCUS MODE
EXTRACT IOC
Threat Research

Weaver Ant: Tracking a China-Nexus Cyber Espionage Operation

Securonix
Weaver Ant: Tracking a China-Nexus Cyber Espionage Operation
A major telecommunication company in Asia has been targeted by a persistent threat actor identified as Weaver Ant, linked to China. The group has used stealthy techniques like web shells to maintain access and facilitate cyber espionage. This highlights the need for organizations to develop robust defense strategies against state-sponsored threats. Affected: telecommunication sector.

Keypoints :

  • Sygnia identified a China-related threat actor called Weaver Ant targeting a telecommunications company.
  • The group aims to gain continuous access and perform cyber espionage by collecting sensitive information.
  • Web shells and web shell tunneling are primary tools used by the threat actor for persistence and movement.
  • The investigation revealed the use of two distinct web shells: an encrypted China Chopper and an INMemory web shell.
  • Defense measures such as continuous monitoring and traffic controls are crucial to mitigate such threats.
  • Stealth monitoring was implemented to avoid detection while investigating the threat actor’s actions.
  • Weaver Ant exhibited remarkable persistence, remaining active within the compromised network for over four years.
  • Recommendations include improving detection and implementing stringent policy measures to minimize privileges and control management traffic.

MITRE Techniques :

  • T1190 – Exploit Public-Facing Application: Exploited vulnerabilities in public-facing applications for initial access.
  • T1059.001 – Command and Scripting Interpreter: PowerShell: Used PowerShell for executing commands.
  • T1078.002 – Valid Accounts: Domain Accounts: Utilized valid domain accounts for persistence.
  • T1505.003 – Server Software Component: Web Shell: Deployed web shells for maintaining access.
  • T1021.001 – Remote Services: SMB/Windows Admin Shares: Conducted lateral movement using Windows Admin shares.
  • T1552.001 – Unsecured Credentials: Credentials In Files: Accessed unsecured credentials stored in files.

Indicator of Compromise :

  • [SHA1] 23c4049121a9649682b3b901eaac0cc52c308756 (ASPX Encrypted China Chopper Web shell)
  • [SHA1] 9022f78087e1679035e09160d59d679dc3ac345d (ASPX Encrypted China Chopper Web shell)
  • [SHA1] 5a5d48ea59476c948912e787a3bd5d3874245284 (ASPX Web shell)
  • [SHA1] 089439168d3c75b4da94ab801f1c46ad6b9e1fdc (PHP Encrypted China Chopper Web shell)
  • [SHA1] 151dc47b213aaec3751ffd1427737c65757ab410 (INMemory module Web shell)

Full Story: https://www.sygnia.co/threat-reports-and-advisories/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation/

Tags: APT, DEFENSE EVASION, XDR, INITIAL ACCESS, LATERAL MOVEMENT, EXFILTRATION, CHINA, TOOL