PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
We discovered two threat campaigns that used PeckBirdy in their operations. Based on victimology and the tools, tactics, and procedures (TTPs) used in the respective campaigns, we attributed them under two temporary intrusion sets: SHADOW-VOID-044 and SHADOW-EARTH-045. Our investigation revealed that these two campaigns could be linked to different China-aligned APT actors.
In the case of SHADOW-VOID-044, we noticed the GRAYRABBIT backdoor (previously reported to be utilized by UNC3569) was hosted on a server (47[.]238[.]219[.]111) operated by this campaign. The GRAYRABBIT sample we observed was slightly different, using a DLL sideloading technique combined with the UuidFromStringA function of PowerShell to read, decode, and execute the backdoor payload. Despite the different execution methods, the C&C server center[.]myrnicrosoft[.]com was the same as the C&C domain used by UNC3569. In addition, both SHADOW-VOID-044 and UNC3569 targeted the Chinese gambling industry. These findings give us a moderate to high level of confidence to attribute this campaign to UNC3569.
We also discovered that SHADOW-VOID-044 used the HOLODONUT backdoor, which is likely linked to another backdoor, WizardNet, previously reported being used by an APT group called TheWizard. Interestingly, some of the HOLODONUT samples used by SHADOW-VOID-044 connected to the same C&C server (mkdmcdn[.]com), which is the same used by TheWizard. While we didn’t see any additional connections between Campaign Alpha and TheWizard, it’s worth noting that TheWizard also used the DarkNimbus backdoor which was developed by the Earth Minotaur threat actor we discussed in a previous blog entry.
Another discovery during our research was a Cobalt Strike sample (SHA256: 162cc325ab7b6e70edb6f4d0bc0e52130c56903f) hosted on the SHADOW-VOID-044 server oss-cdn[.]com. We discovered that this sample was signed using a certificate (thumbprint, SHA1: bbd2b9b87f968ed88210d4261a1fe30711e8365b) stolen from a South Korean gaming company. This certificate was also used in the BIOPASS RAT campaign that we also reported on.
Based on our findings, both BIOPASS RAT and MKDOOR employ the same technique: opening an HTTP server on a high-numbered port on the local host to listen. This is to allow a watering hole attack script to scan for the presence of the port on the local host and determine whether the victim has been infected with the backdoor. The BIOPASS RAT campaign is linked to another threat actor, Earth Lusca.
For SHADOW-EARTH-045, we observed malicious activities targeting a Philippine educational institution in July 2024. The threat actor executed an MSHTA command connecting to github[.]githubassets[.]net to launch PeckBirdy on a compromised Internet Information Services (IIS) server. The threat actor also simultaneously downloaded files from 47[.]238[.]184[.]9, an IP address has been previously linked to Earth Baxia. Note that the attribution linking SHADOW-EARTH-045 to Earth Baxia remains low confidence for now. However, it’s worth noting that the same PeckBirdy domain and the IP address used was also mentioned in another report on attacks against an African government IT organization.
This report outlines two campaigns that highlight the growing sophistication and adaptability of current China-align threat actors. These campaigns make use of a dynamic JavaScript framework, PickBirdy, to abuse living-off-the-land binaries and deliver modular backdoors such as MKDOOR and HOLODONUT. Detecting malicious JavaScript frameworks remains a significant challenge due to their use of dynamically generated, runtime-injected code and the absence of persistent file artifacts, enabling them to evade traditional endpoint security controls. In this environment, adaptability and continuous refinement of defensive strategies are no longer optional, but fundamental to maintaining operational integrity in an increasingly hostile digital landscape.
Proactive security with TrendAI Vision One™
TrendAI Vision One™ is the industry-leading AI cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection.
TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.
Emerging Threats:
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
Threat actor profiles:
Hunting Queries
malName: (*MKDOOR* OR *HOLODONUT* OR *GRAYRABBIT* OR *PECKBIRDY*) AND eventName: MALWARE_DETECTION
TrendAI Vision One™ customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled.
The indicators of compromise for this entry can be found here.
Read More HERE
