China-Linked Hackers Exploit PeckBirdy JavaScript Framework in Targeted Cyber Attacks
Cybersecurity researchers have uncovered a sophisticated JavaScript-based command-and-control (C2) framework, dubbed PeckBirdy, actively utilized by China-aligned Advanced Persistent Threat (APT) actors since 2023. This versatile framework has been employed in targeted attacks against various sectors, including the Chinese gambling industry and Asian governmental and private organizations.
Trend Micro’s researchers, Ted Lee and Joseph C. Chen, highlighted that PeckBirdy is implemented using JScript, an older scripting language. This choice ensures compatibility across diverse execution environments by leveraging Living-Off-The-Land Binaries (LOLBins). The framework’s adaptability allows it to operate seamlessly within web browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET environments.
Discovery and Initial Observations
In 2023, Trend Micro identified PeckBirdy following the detection of malicious script injections on multiple Chinese gambling websites. These scripts were designed to download and execute primary payloads, facilitating the remote delivery and execution of JavaScript code. The ultimate objective was to present users with counterfeit Google Chrome update pages, deceiving them into downloading and executing malicious files, thereby compromising their systems. This campaign has been designated as SHADOW-VOID-044.
Expansion to Government and Private Sectors
By July 2024, the use of PeckBirdy expanded beyond the gambling industry. A new campaign, labeled SHADOW-EARTH-045, targeted Asian government entities and private organizations, including an educational institution in the Philippines. In these instances, attackers injected PeckBirdy links into government websites, likely to deploy scripts aimed at credential harvesting. Notably, some injections were found on login pages of government systems. Additionally, attackers utilized MSHTA to execute PeckBirdy as a remote access channel for lateral movement within private organizations. They also developed a .NET executable to launch PeckBirdy using ScriptControl, demonstrating the framework’s versatility in serving multiple malicious purposes.
Technical Capabilities and Communication Methods
PeckBirdy’s design allows it to adapt its capabilities based on the execution environment. The framework’s server supports multiple APIs, enabling clients to retrieve specific landing scripts through HTTP(S) queries. Each API path includes an ATTACK ID, a predefined 32-character string that determines the specific PeckBirdy script to be fetched.
Upon execution, PeckBirdy assesses the current environment, generates a unique victim ID, and persists it for future use. The framework primarily uses the WebSocket protocol for server communication. However, it can also employ Adobe Flash ActiveX objects or Comet as fallback mechanisms, ensuring reliable communication across various platforms.
Malware Deployment and Exploitation Techniques
Once a connection is established with the remote server, transmitting the ATTACK ID and victim ID, the server responds with a second-stage script. One such script is capable of stealing website cookies, posing significant security risks.
Further analysis revealed that servers associated with the SHADOW-VOID-044 campaign hosted additional malicious scripts. These included an exploitation script targeting a known vulnerability in Google Chrome’s V8 engine (CVE-2020-16040), which was patched in December 2020. This indicates that attackers are leveraging known vulnerabilities to enhance their attack vectors.
Implications and Recommendations
The discovery of PeckBirdy underscores the evolving tactics of China-linked APT groups in developing and deploying sophisticated frameworks to conduct targeted cyber attacks. The framework’s adaptability across multiple environments and its use of legitimate system processes make detection and mitigation challenging.
Organizations, particularly those in the gambling industry and government sectors within Asia, should remain vigilant. Implementing robust security measures, such as regular system updates, employee training on phishing tactics, and the deployment of advanced threat detection systems, is crucial. Additionally, monitoring for unusual network activity and conducting regular security audits can help identify and mitigate potential threats posed by frameworks like PeckBirdy.
