Chinese APTs Hacking Asian Orgs With High-End Malware

China-linked advanced persistent threat (APT) groups are using new cyber weaponry to target Chinese gambling sites and government entities in Asia, with the Asia-Pacific region accounting for over half of all APT activity worldwide. The groups are utilizing sophisticated command-and-control tools, such as “PeckBirdy”, to deliver malware and steal credentials from private organizations and government-affiliated targets.

Why This Matters

The increasing threats to the Asia-Pacific region highlight the technical reality of blurred boundaries between cybercrime and cyberespionage, with APT groups using shared tools and infrastructure to carry out attacks. The use of advanced malware and tactics, techniques, and procedures (TTPs) has significant costs, with one study tracking 22 billion more browser-based cyberattacks in APAC in 2024 compared to 2023.

Key Insights

Trend Micro has been tracking two threat actors using the PeckBirdy C2 tool since 2023: Shadow-Void-044 and Shadow-Earth-045.
The PeckBirdy tool can be used in different environments, including browser, NodeJS, and Windows Script Host, allowing attackers to change their attack vectors based on the target’s environment.
The malware is written in JScript, allowing it to form-fit different environments using different living-off-the-land binaries (LOLbins).

Working Example

// PeckBirdy C2 tool example in JScript
var objShell = new ActiveXObject("WScript.Shell");
objShell.Run("cmd.exe /c " + command);

Practical Applications

Use Case: Chinese APT groups are using PeckBirdy to target government entities and private organizations in Asia, highlighting the need for robust cybersecurity measures.
Pitfall: The use of shared tools and infrastructure by APT groups can make it difficult to attribute attacks and track the source of the threat.

References:

On This Page

Chinese APTs Hacking Asian Orgs With High-End Malware