A JScript command-and-control framework named PeckBirdy has been used by China-aligned APT actors since 2023 to target Chinese gambling sites and Asian government and private organizations, a technical analysis by Trend Micro reported.
KEY FACTS
- Framework JScript based command-and-control named PeckBirdy
- Active since 2023
- Targets Chinese gambling sites and Asian government and private entities
- Backdoors modular implants HOLODONUT and MKDOOR observed
PeckBirdy was first observed when malicious scripts injected into gambling websites served fake Google Chrome update pages that tricked visitors into downloading and running bogus update files to deliver JavaScript payloads.
The framework is implemented in JScript so it can run across multiple execution contexts including web browsers, MSHTA, WScript, Classic ASP, Node JS and .NET ScriptControl. The server supports API paths that return landing scripts identified by a 32 character ATTACK ID.
After initialization the framework generates a persistent victim ID and selects a communication method. WebSocket is the default channel with Flash ActiveX objects or Comet as fallbacks. A second stage script can steal cookies and deliver additional payloads.
Associated server files include exploitation code for an old Chrome V8 flaw patched in 2020, social engineering pop ups, Electron based backdoor delivery and reverse shell routines. Two modular backdoors observed are HOLODONUT, a .NET implant launched by a downloader called NEXLOAD, and MKDOOR which loads and removes modules.
WHY IT MATTERS
PeckBirdy can run through common living off the land binaries and deliver modular backdoors across environments. Dynamic script frameworks that inject code at runtime leave few persistent artifacts and are hard for traditional endpoint controls to detect.