The Ghost in the Script: China-Linked PeckBirdy Framework Evades Detection via LOLBins

Experts from Trend Micro have identified the pervasive deployment of PeckBirdy, a malevolent JavaScript framework orchestrated by collectives associated with Chinese state apparatuses. This instrument has been operational since at least 2023, utilized in offensives against a diverse array of targets, encompassing gambling portals within China, governmental institutions, and private enterprises across Asia.

PeckBirdy is distinguished by its versatility and its aptitude for functioning across disparate execution environments, an advantage gained through the utilization of JScript, a legacy yet ubiquitous scripting language. This implementation facilitates the execution of the framework via native Windows utilities, thereby circumventing conventional security mechanisms. Initial scrutiny of PeckBirdy followed the discovery of deleterious scripts on Chinese gambling websites; these scripts served as the vanguard, delivering the primary malicious payload designed to facilitate the remote distribution of subsequent JavaScript components.

One primary objective of these incursions is the dissemination of fraudulent Google Chrome update notifications. Victims are enticed to download spurious update files, which precipitates the installation of malware—a campaign tracked under the codename SHADOW-VOID-044. Within this operation, additional scripts were unearthed, engineered to exploit browser vulnerabilities, establish reverse TCP connections, deploy social engineering overlays, and deliver backdoors via Electron JS.

A second offensive utilizing PeckBirdy, designated SHADOW-EARTH-045, commenced in the summer of 2024. During this campaign, adversaries embedded links to malicious scripts directly within the fabric of Asian governmental web portals. In one instance, a government authorization page was compromised; in another, MSHTA was leveraged to invoke the framework as a remote access conduit within a private corporation. Furthermore, the perpetrators employed a .NET executable to orchestrate script execution via ScriptControl.

The hallmark of PeckBirdy is its support for a multitude of execution modalities—ranging from web browsers and MSHTA to Node.js and legacy ASP environments. The attacker’s command-and-control server delivers the appropriate script tailored to the victim’s specific environment, utilizing a unique attack identifier and victim ID. Once the nexus is established, the framework is capable of deploying second-stage modules, such as a dedicated component for the exfiltration of browser cookies.

Forensic analysis of the associated infrastructure revealed two sophisticated modules: HOLODONUT and MKDOOR. The former is a .NET backdoor capable of managing plug-in modules, while the latter serves as a versatile instrument for similar administrative tasks. The investigation also established a nexus between these attacks and other notorious entities; a server linked to SHADOW-VOID-044 was found harboring GRAYRABBIT malware, previously associated with the UNC3569 collective. Further traces lead to the TheWizards and Earth Lusca (also known as Aquatic Panda) organizations.

The components of PeckBirdy are exceptionally adaptive and remain elusive to most defensive solutions due to their reliance on dynamically generated code and the absence of persistent file artifacts. Such an ephemeral architecture renders the detection of these JavaScript frameworks profoundly arduous.