"The cybersecurity company said it identified the PeckBirdy script framework in 2023 after it observed multiple Chinese gambling websites being injected with malicious scripts, which are designed to download and execute the primary payload in order to facilitate the remote delivery and execution of JavaScript. The end goal of this routine is to serve fake software update web pages for Google Chrome so as to trick users into downloading and running bogus update files, thereby infecting the machines with malware in the process."
"The second campaign, observed first in July 2024 and referred to as SHADOW-EARTH-045, involves targeting Asian government entities and private organizations -- including a Philippine educational institution -- injecting PeckBirdy links into government websites to likely serve scripts for credential harvesting on the website. "In one case, the injection was on a login page of a government system, while in another incident, we noticed the attacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private organization,""
PeckBirdy is a JScript-based command-and-control framework designed for cross-environment execution via LOLBins. The framework has been used since 2023 against Chinese gambling sites and since July 2024 in campaigns targeting Asian government entities and private organizations, including a Philippine educational institution. Operators injected malicious scripts and PeckBirdy links into legitimate websites to download and execute payloads, serve fake Google Chrome update pages and harvest credentials. The framework can be executed via MSHTA to provide remote access and support lateral movement. Activity clusters using PeckBirdy are tracked as SHADOW-VOID-044 and SHADOW-EARTH-045.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]