top of page
Buscar

PeckBirdy in Flight: How a JavaScript C2 Framework Quietly Took Wing

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 4 días
  • 4 Min. de lectura

At first glance, PeckBirdy looks unassuming: a JavaScript-based framework written in an old scripting language that many defenders consider legacy or low risk. But like a small bird slipping through open windows, PeckBirdy has been flying under the radar since at least 2023, enabling China-aligned threat actors to establish flexible command-and-control channels across browsers, Windows components, and server-side environments. By abusing living-off-the-land binaries (LOLBins) and dynamically adapting to its execution context, PeckBirdy demonstrates how lightweight, script-based tooling can still power sophisticated espionage and intrusion campaigns against both public and private sector targets.


Phase 1 – Nesting Grounds: Target Selection and Initial Access


PeckBirdy has been observed in multiple activity clusters, tracked by Trend Micro as SHADOW-VOID-044 and SHADOW-EARTH-045. These campaigns targeted distinct but related environments, including Chinese gambling platforms, Asian government entities, private organizations, and educational institutions such as a university in the Philippines.

Rather than relying on zero-day exploits or noisy malware droppers, attackers favored access through compromised or poorly secured websites. In several cases, malicious JavaScript was injected directly into legitimate web pages, including login portals of government systems. This approach allowed the attackers to weaponize trusted web infrastructure and silently introduce PeckBirdy into victim environments without raising immediate suspicion.

In parallel, the framework was also delivered through techniques such as MSHTA execution, enabling its use as a remote access channel for lateral movement inside private organizations. The focus was not on mass infection, but on gaining stable footholds in environments of strategic value.


Phase 2 – Taking Flight: Framework Initialization and Environment Awareness


Once executed, PeckBirdy immediately evaluates its surroundings. One of its defining characteristics is its ability to run across a wide range of execution environments, including web browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET via ScriptControl.

During initialization, PeckBirdy generates a unique victim identifier and persists it for reuse in future executions. The framework then determines which communication methods are available in the current context. While WebSocket is the default protocol for command-and-control communications, PeckBirdy can fall back to alternative mechanisms such as Adobe Flash ActiveX objects or Comet-based communication when required.

The framework retrieves its operational logic via server-side APIs that use a predefined 32-character “ATTACK ID” embedded in the request path. This identifier determines which script variant is delivered to the victim, allowing operators to tailor behavior across campaigns and environments.


Phase 3 – Payload Delivery: Data Theft, Exploitation, and Backdoors


After establishing a connection to its command-and-control server, PeckBirdy receives second-stage scripts that expand its capabilities. Some of these scripts are designed to steal website cookies, enabling session hijacking and credential theft without requiring direct password capture.

Additional payloads observed on PeckBirdy infrastructure include exploitation scripts for known vulnerabilities, such as CVE-2020-16040 in the Google Chrome V8 engine, social engineering pop-ups designed to trick users into downloading malicious files, Electron-based backdoors, and scripts to establish reverse shells over TCP sockets.

Further analysis linked PeckBirdy campaigns to the deployment of two modular backdoors: HOLODONUT and MKDOOR. HOLODONUT is a .NET-based implant delivered via a lightweight downloader called NEXLOAD and supports dynamic plugin loading, execution, and removal. MKDOOR similarly supports modular payload delivery and execution, allowing attackers to adapt capabilities over time.

Together, these components enable persistent remote access, credential harvesting, lateral movement, and long-term surveillance across compromised environments.


Phase 4 – Attribution Signals: Following the Feathers


While PeckBirdy itself is a generic framework, multiple technical indicators point toward China-aligned threat activity. Infrastructure associated with SHADOW-VOID-044 hosted GRAYRABBIT, a backdoor previously linked to UNC3569. HOLODONUT shows overlaps with WizardNet, attributed to TheWizards, while MKDOOR shares behavioral similarities with BIOPASS RAT, associated with Earth Lusca.

Additional evidence includes Cobalt Strike artifacts signed with certificates reused from earlier China-focused gambling campaigns, as well as infrastructure overlaps with IP addresses previously linked to Earth Baxia and APT41. These connections suggest that PeckBirdy is not tied to a single actor, but rather represents a shared or adaptable framework leveraged across multiple Chinese state-aligned intrusion sets.


Measures to Defend Against PeckBirdy Campaigns


  • Monitor for JavaScript injection on public-facing and internal web applications, especially login portals

  • Restrict and closely audit the use of LOLBins such as MSHTA and WScript

  • Detect anomalous WebSocket traffic and unusual outbound connections from browsers and script engines

  • Audit Electron-based applications and investigate unexpected Electron process activity

  • Enforce timely patching of browsers and block execution of outdated or vulnerable engines

  • Strengthen behavioral detection for script-based malware that operates without persistent file artifacts

  • Segment networks to limit lateral movement from compromised web-facing systems


PeckBirdy highlights a persistent reality in modern cyber operations: sophistication does not always require complexity. By combining an old scripting language with modern delivery techniques, adaptive execution logic, and modular backdoors, attackers created a flexible platform capable of supporting espionage, credential theft, and long-term access across diverse environments.


The framework’s reliance on dynamic JavaScript execution, living-off-the-land binaries, and trusted infrastructure makes it particularly difficult to detect using traditional signature-based controls. As defenders continue to harden endpoints and block known malware families, campaigns like PeckBirdy demonstrate how lightweight, script-based frameworks can still quietly take flight, and stay airborne, in highly defended networks.



The Hacker News


 
 
 

Comentarios

bottom of page