According to a new report from incident response company Sygnia, the leading Asian telecom company is said to have been violated by a Chinese state sponsored hacker who spent more than four years in the system.
The cybersecurity company tracks its activities under the name Weaver Ali, describing the threat actor as stealth and very persistent. The name of the communication provider has not been revealed.
“Using web shells and tunneling, the attackers kept persistent and promoted cyber espionage,” Sygnia said. “The group behind this intrusion […] It aims to promote cyber espionage by gaining and maintaining continuous access to telecommunications providers and collecting sensitive information. ”
The attack chain is said to have involved exploiting public applications, dropping two different web shells, an encrypted variant of Chinese Chopper, and a malicious tool called in-memory, previously called undocumented malicious tool. It is worth noting that Chinese choppers have been used by several Chinese hacking groups in the past.
As the name suggests, Inmemory is designed to decode Base64-encoded strings and run completely in memory without writing to disk, so there is no forensic trail.
“The “Inmemory” web shell has run the C# code contained in a portable executable (PE) named “eval.dll”.
Web shells have been found to act as stepping stones to provide the next stage of payload. Most notably, the recursive HTTP tunneling tool used to promote lateral movement of SMBs, previously adopted by other threat actors such as the elephant beetle.
Additionally, encrypted traffic through the web shell tunnel – acts as a conduit for performing a series of actions after the explosion.
Use patch event traces in Windows (ETW) and Antimalware Scan Interface (AMSI) to run Powershell commands without starting PowerShell.exe using System.Management.Automation.dll to bypass detection and run reconnaissance commands to magnify compromised Active Directory environments and identify critical servers, identifying critical servers.
Sygnia said that the target patterns and “clearly defined” goals of the campaign will usually showcase features related to China and Nexus cyberspy groups.
This link is also proven by the presence of China’s Chopper Web Shell, the presence of the operational relay box (ORB) network that makes up the Zyxel router, the obscuring the Zyxel router (ORB) network to proxy traffic, the infrastructural obscurity, hacker working hours, and the deployment of prospect-based backdoors due to Emissary Panda.
“Through this period, Weaver Ant has adopted innovative ways to adapt TTP to an evolving network environment, regain access and maintain scaffolding,” the company said. “The Chinese and Nexus intrusion set modalities usually involve sharing talent through tools, infrastructure and sometimes shared contractors.”
China has identified four Taiwanese hackers allegedly behind the espionage
The disclosure comes days after China’s Ministry of National Security (MSS) accused four individuals who are allegedly cyberattacking Taiwanese troops against the mainland. Taiwan has rebutted the allegations.
The MSS said four individuals are members of Taiwan’s Information, Communications and Electronic Force Command (ICEFCOM), and the entities are engaged in phishing attacks, propaganda mail targeting government and military agencies, and disinformation campaigns using social media aliases.
The intrusion is said to involve the widespread use of open source tools such as Antward Web Shell, Ice Colpion, Metasploit, and Quasar Rat.
“The ‘Information, Communications and Electronics Forces’ specifically hired hackers and cybersecurity companies as external support to implement cyberwar orders issued by the Democratic Progressive Party (DPP) authorities,” he said. “Their activities include spying, sabotaging and publicity.”
In line with the MSS statement, Chinese cybersecurity companies Qianxin and Antiy are connected to APT-C-01, APT-C-01, APT-C-01, APT-C-01, APT-C-01, Poison Cloud Vine, and White Dolphin (C2) leading to the delivery of C++ Trojan and Command-and-and-control (APT-C-01, APT-C-01, Greenspot, Poison Cloud Vine, and White Dolphin (C2) leading to the delivery of C++ Trojan and Command-and-and-control. Sliver.
Other initial access methods require N-Day security vulnerabilities and the exploitation of weak passwords on Internet of Things devices such as routers, cameras and firewalls, Qianxin has been added, characterizing the activity of threat actors as “not particularly smart.”
Source link
