PeckBirdy: A Versatile Script Framework Used by China-Aligned APT Groups
This report details two threat campaigns using the PeckBirdy JavaScript framework, attributed to China-aligned advanced persistent threat (APT) actors. The campaigns, temporarily named SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate the increasing sophistication and adaptability of these groups. Analysis of the SHADOW-VOID-044 Campaign The SHADOW-VOID-044 campaign has been linked to the UNC3569 threat actor, with moderate to high confidence, based on overlapping TTPs and victims. Link to UNC3569: Observed use of the GRAYRABBIT backdoor, previously associated with UNC3569. The Command and Control (C&C) server center.myrnicrosoft.com is the same one used by UNC3569, and the campaign target (Chinese gaming industry) matches the known targets of this actor. The GRAYRABBIT implementation in this campaign uses a DLL sideloading technique combined with the UuidFromStringA PowerShell function. Link to TheWizard: The campaign also deployed the HOLODONUT backdoor. Some HOLODONUT samples connected to the same C&C server (mkdmcdn.com) used by the APT group TheWizard. TheWizard has also used the DarkNimbus backdoor, associated with the Earth Minotaur actor. Stolen Certificate: SHADOW-VOID-044 used a Cobalt Strike sample signed with a certificate stolen from a South Korean game company. This same certificate was used in the BIOPASS RAT campaign, linked to the actor Earth Lusca. Infection Detection Technique: The BIOPASS RAT and MKDOOR campaigns employ a technique to verify infection: they open a local HTTP server on a high port so that a watering hole attack script can scan and confirm the presence of the backdoor on the host. Analysis of the SHADOW-EARTH-045 Campaign This campaign focused on a Filipino educational institution in July 2024. ...