A JScript-based command-and-control framework named PeckBirdy has been identified as being used by China-aligned advanced persistent threat actors since 2023. This flexible framework has been deployed in attacks targeting Chinese gambling industries, as well as Asian government entities and private organizations, The Hacker News reports.PeckBirdy leverages JScript and living-off-the-land binaries (LOLBins) to execute across various environments. Researchers from Trend Micro observed its use in campaigns like SHADOW-VOID-044, which involved injecting malicious scripts into Chinese gambling websites to trick users into downloading fake Chrome updates, leading to malware infections. Another campaign, SHADOW-EARTH-045, observed since July 2024, targets Asian government and private organizations, including a Philippine educational institution. This campaign injects PeckBirdy links into government websites, potentially for credential harvesting, and has been seen using MSHTA for lateral movement. The framework supports multiple execution contexts, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET. It communicates using WebSockets, with fallbacks to Adobe Flash ActiveX or Comet. Associated backdoors identified include HOLODONUT and MKDOOR.The discovery of PeckBirdy highlights the evolving tactics of sophisticated threat actors, who are increasingly utilizing script-based frameworks and LOLBins to evade traditional security measures. The framework's versatility and ability to serve multiple purposes, including malware delivery, credential harvesting, and establishing reverse shells, pose a significant challenge for cybersecurity defenses.Source: The Hacker News
Malware, Threat Intelligence
PeckBirdy framework used by China-linked APTs targets gambling and government entities

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



