Source: The Hacker News
Cybersecurity researchers at Trend Micro have uncovered a sophisticated JScript-based command-and-control (C2) framework called PeckBirdy that has been actively used by China-aligned APT actors since 2023. The flexible framework has been deployed against gambling industries and government entities across Asia.
A Versatile Attack Framework
PeckBirdy stands out for its remarkable flexibility, capable of running across multiple execution environments including web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET via ScriptControl. This versatility allows threat actors to leverage living-off-the-land binaries (LOLBins) to evade detection.
The framework uses WebSocket protocol for C2 communications by default, with fallback mechanisms using Adobe Flash ActiveX objects or Comet. Each victim receives a unique ID that persists across executions, enabling threat actors to maintain persistent access.
Two Distinct Campaigns
Researchers identified two intrusion sets leveraging PeckBirdy:
- SHADOW-VOID-044: Targets Chinese gambling websites with malicious script injections, serving fake Chrome update pages to deliver malware
- SHADOW-EARTH-045: Focuses on Asian government entities and private organizations, including credential harvesting through injected scripts on government login pages
Associated Malware and Attribution
The campaigns deploy additional payloads including:
- HOLODONUT: A .NET-based modular backdoor with plugin capabilities
- MKDOOR: A modular backdoor for loading and executing server-provided modules
- Exploitation scripts for CVE-2020-16040 (Chrome V8 engine vulnerability)
- Reverse shell scripts via TCP sockets
Infrastructure analysis links these campaigns to multiple China-aligned threat actors including UNC3569, TheWizards, Earth Lusca (Aquatic Panda), and potentially APT41.
Detection Challenges
Trend Micro emphasizes the significant challenges in detecting JavaScript-based frameworks like PeckBirdy. The use of dynamically generated, runtime-injected code and the absence of persistent file artifacts enables these frameworks to evade traditional endpoint security controls.
Organizations should implement behavioral analysis solutions capable of detecting anomalous script execution patterns and maintain vigilance against watering hole attacks targeting industry-specific websites.
