Article Details

China-Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023. Cybersecurity researchers have discovered a JScript-based command-and-control (C2) framework called PeckBirdy that has been put to use by China-aligned APT actors since 2023 to target multiple environments. The flexible framework has been put to use against Chinese gambling industries and malicious activities targeting Asian government entities and private organizations, according to Trend Micro. "PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language," researchers Ted Lee and Joseph C Chen said. "This is to ensure that the framework could be launched across different execution environments via LOLBins (living-off-the-land binaries)." The cybersecurity company said it identified the PeckBirdy script framework in 2023 after it observed multiple Chinese gambling websites being injected with malicious scripts, which are designed to download and execute the primary payload in order to facilitate the remote delivery and execution of JavaScript. The end goal of this routine is to serve fake software update web pages for Google Chrome so as to trick users into downloading and running bogus update files, thereby infecting the machines with malware in the process. This activity cluster is being tracked as SHADOW-VOID-044. SHADOW-VOID-044 is one of the two temporary intrusion sets detected using PeckBirdy. The second campaign, observed first in July 2024 and referred to as SHADOW-EARTH-045, involves targeting Asian government entities and private organizations -- including a Philippine educational institution -- injecting PeckBirdy links into government websites to likely serve scripts for credential harvesting on the website. "In one case, the injection was on a login page of a government system, while in another incident, we noticed the attacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private organization," Trend Micro said. "The threat actor behind the attacks also developed a .NET executable to launch PeckBirdy with ScriptControl. These findings demonstrate the versatility of PeckBirdy's design, which enables it to serve multiple purposes." What makes PeckBirdy notable is its flexibility, allowing it to run with varying capabilities across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). The framework's server is configured to support multiple APIs that make it possible for clients to obtain landing scripts for different environments via an HTTP(S) query. The API paths include an "ATTACK ID" value -- a random but predefined string with 32 characters (e.g., o246jgpi6k2wjke000aaimwбe7571uh7) -- that determines the PeckBirdy script to be retrieved from the domain. Once launched, the PeckBirdy determines the current execution context and then proceeds to generate a unique victim ID and persist it for subsequent executions. The initialization step is followed by the framework attempting to figure out what communication methods are supported in the environment. PeckBirdy uses the WebSocket protocol to communicate with the server by default. However, it can also employ Adobe Flash ActiveX objects or Comet as a fallback mechanism. After a connection has been initiated with the remote server, passing along the ATTACK ID and victim ID values, the server responds with a second-stage script, one of which is capable of stealing website cookies. One of PeckBirdy's servers associated with the SHADOW-VOID-044 campaign has been found to host additional scripts - Further infrastructure analysis has led to the identification of two backdoors dubbed HOLODONUT and MKDOOR - It's suspected that SHADOW-VOID-044 and SHADOW-EARTH-045 could be linked to different China-aligned nation-state actors. This assessment is based on the following clues - "These campaigns make use of a dynamic JavaScript framework, PickBirdy, to abuse living-off-the-land binaries and deliver modular backdoors such as MKDOOR and HOLODONUT," Trend Micro concluded. "Detecting malicious JavaScript frameworks remains a significant challenge due to their use of dynamically generated, runtime-injected code and the absence of persistent file artifacts, enabling them to evade traditional endpoint security controls."