Skip to content

Chinese hackers remained undetected in Asian telco’s network for 4 years

  • by
  • 2 min read

Cybersecurity researchers have discovered a Chinese state-sponsored threat actor who spent more than four years inside a major Asian telecom company’s networks. The attack started when the company’s publicly available application was breached to drop web shells on its networks.

The breach was discovered by cybersecurity incident response firm Sygnia, which chose not to disclose the telecom company’s name. The threat actor, however, has been dubbed Weaver Ant and described as “stealthy and highly persistent.” Weaver Ant maintained persistent access and enabled lateral movement inside the company’s network using web shells and tunneling.

Two different web shells were initially dropped — an encrypted variant of China Chopper and a novel malicious tool called INMemory. Chine Chopper is a 4 kb web shell and backdoor which, as the name suggests, has previously been used by many Chinese hacking groups. It offers features like file management, command execution, and data extraction, all while keeping its file size small and actively avoiding detection.

This is an image of web shell deployment weaver ant
The web shell deployment chain used by Weaver Ant | Source: Sygnia

INMemory, on the other hand, is a C# webshell contained within a portable DLL file, which delivers the final malicious payload via an HTTP request, claims Sygnia’s report. The tool decodes a hardcoded and GZipped Base64 string and functions entirely in system memory to evade detection.

Weaver Ant was also active during their entire intrusion period, adapting their TTPs as the compromised firm’s network environment changed to regain lost and persistent access. Even when Sygnia revoked the hackers’ access from the compromised servers, the threat group was detected attempting to regain access to the victim’s network.

The threat actor exhibits characteristics in usual Chinese hacking groups, including selecting a focused industry and geographic location aligning with China’s cyber strategy, well-defined objectives, attack times, and web shell and malicious DLL deployment. Chinese threat groups often share tools, infrastructure, and sometimes even manpower, making attribution difficult.

In the News: 23andMe going bankrupt is bad news for user data

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of chatgpt featured 213241

OpenAI announces improved GPT-4.1 flagship model

This is an image of phishing featured storyblocks

Cybercrime group rolls out major updates for on sale phishing tool

This is an image of scam call featured 1

China jails 9 for scamming over 66,000 Indians

What is a hack? 9 different types of hackers you must know about

SpyNote malware targets users through fake android apps

This is an image of meta fb oculus workspace whatsapp messenger instagram

Ex-employee reveals Meta offered US user data to enter China

This is an image of wordpress featured 9924

WordPress plugin with over 100,000 installations under active exploitation

>