Full Report
Cybersecurity researchers have discovered a JScript-based command-and-control (C2) framework called PeckBirdy that has been put to use by China-aligned APT actors since 2023 to target multiple environments. The flexible framework has been put to use against Chinese gambling industries and malicious activities targeting Asian government entities and private organizations, according to Trend Micro
Analysis Summary
# Threat Actor: China-aligned APT Actors (Associated with Intrusion Sets SHADOW-VOID-044 and SHADOW-EARTH-045)
## Attribution & Identity
Actor likely aligns with Chinese Advanced Persistent Threat (APT) operations.
Known Aliases/Associated Groups: Related to two distinct intrusion sets tracked by Trend Micro: SHADOW-VOID-044 and SHADOW-EARTH-045.
## Activity Summary
The identified actors have been utilizing the **PeckBirdy** C2 framework since 2023.
**Campaign SHADOW-VOID-044 (Observed since 2023):**
* Focused on injecting malicious scripts into Chinese gambling websites.
* Goal involved downloading and executing the primary PeckBirdy payload.
* Used social engineering (fake Google Chrome update pages) to trick users into downloading and running bogus update files, leading to malware infection.
**Campaign SHADOW-EARTH-045 (Observed since July 2024):**
* Targeted Asian government entities and private organizations.
* Injected PeckBirdy links into government websites, sometimes targeting login pages, likely for credential harvesting.
* Observed using MSHTA to execute PeckBirdy for lateral movement within a private organization.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Delivered via malicious scripts injected into compromised websites (gambling and government sites). Used techniques to trick users into downloading files disguised as software updates.
- **Execution Environment Flexibility:** Utilizes JScript to ensure wide execution capability across various LOLBins and environments (web browsers, MSHTA, WScript, Classic ASP, Node JS, .NET ScriptControl).
- **C2 Protocol:** Default communication uses the WebSocket protocol. Fallback methods include Adobe Flash ActiveX objects or Comet.
- **Persistence/Evasion:** Generates a unique victim ID upon launch and persists it for later executions.
- **Lateral Movement:** Observed using PeckBirdy via MSHTA for remote access and lateral movement within private organizations.
- **Exploitation:** Hosted scripts attempting to leverage an old Google Chrome V8 engine vulnerability ([CVE-2020-16040]).
- **Backdoor Deployment:** Deploying secondary backdoors such as **HOLODONUT** (.NET modular backdoor launched via **NEXLOAD** downloader) and **MKDOOR**.
- **Credential Harvesting:** Scripts designed to steal website cookies.
## Targeting
- **Sectors:** Chinese gambling industries, Asian government entities, private organizations, and one Philippine educational institution.
- **Geography:** Asia (specifically mentioned: Chinese industries, Asian government entities, Philippine institution).
- **Victims:** Chinese gambling websites, Asian government systems, private organizations, and a Philippine educational institution.
## Tools & Infrastructure
- **Malware families used:** PeckBirdy (JScript C2 Framework), HOLODONUT (.NET modular backdoor), NEXLOAD (downloader for HOLODONUT), MKDOOR.
- **Infrastructure (C2):** The PeckBirdy server supports multiple APIs identified by an "ATTACK ID" (32-character string) via HTTPS queries to retrieve environment-specific landing scripts.
## Implications
The use of the JScript-based PeckBirdy framework highlights an adversary leveraging older, commonly available scripting languages and LOLBins for versatility and potential evasion across diverse execution environments (browser, desktop scripting engines, .NET). The dual focus on financial/gambling sectors and government/educational entities suggests a broad operational scope, encompassing both financial motivation and strategic espionage/access.
## Mitigations
- Enhance detection for JScript/WScript execution paths, especially involving interactions with LOLBins like MSHTA.
- Monitor for network connections utilizing WebSocket protocols originating from unusual processes.
- Implement robust web application security (WAF) to detect and prevent the injection of malicious scripts onto legitimate websites.
- Patch known vulnerabilities, although the actor is observed attempting to use a patched Chrome vulnerability ([CVE-2020-16040]), indicating a potential reliance on older exploit chains for initial compromise paths.
- Scrutinize scripts designed to mimic software updates for social engineering lures.