“display fake software update webpages for google chrome to entice victims into downloading and executing malicious update files, which are backdoors prepared by the attackers. this constitutes the first campaign we identified, which we are tracking under the name shadow - void - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
78%
“deployed a customized simple downloader used to retrieve the payload from the remote server downloader that we tracked as nexload. the noteworthy feature of nexload is that it will send a string in a specific format, “ { string } # { string } ” during the first connection. next, …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
73%
“only one we received was a short script for stealing the cookie values of injected websites on browsers. we also discovered additional script files hosted on one of peckbirdy ’ s server ( belonging to shadow - void - 044 ) which appear to be delivered and executed through peckbir…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
72%
“’ s machines. it then combines this information with md5 to generate a hash value which serves as the victim id. if this step fails or if it occurs in other environments that are unable to retrieve hardware information, it directly generates a 32 - character random string as a vi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
69%
“execution environments via lolbins ( living off the land binaries ). this flexibility allowed us to observe peckbirdy in various kill chain stages, including being used as a watering - hole control server during the initial attack phase, as a reverse shell server during the later…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
64%
“used by shadow - void - 044 connected to the same c & c server ( mkdmcdn [. ] com ), which is the same used by thewizard. while we didn ’ t see any additional connections between campaign alpha and thewizard, it ’ s worth noting that thewizard also used the darknimbus backdoor wh…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
58%
“previously reported to be utilized by unc3569 ) was hosted on a server ( 47 [. ] 238 [. ] 219 [. ] 111 ) operated by this campaign. the grayrabbit sample we observed was slightly different, using a dll sideloading technique combined with the uuidfromstringa function of powershell…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
47%
“display fake software update webpages for google chrome to entice victims into downloading and executing malicious update files, which are backdoors prepared by the attackers. this constitutes the first campaign we identified, which we are tracking under the name shadow - void - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.003Code Signing Certificates
41%
“used by shadow - void - 044 connected to the same c & c server ( mkdmcdn [. ] com ), which is the same used by thewizard. while we didn ’ t see any additional connections between campaign alpha and thewizard, it ’ s worth noting that thewizard also used the darknimbus backdoor wh…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204User Execution
34%
“display fake software update webpages for google chrome to entice victims into downloading and executing malicious update files, which are backdoors prepared by the attackers. this constitutes the first campaign we identified, which we are tracking under the name shadow - void - …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059Command and Scripting Interpreter
34%
“which includes the following items. table 2. the configuration embedded in the peckbirdy script to extend peckbirdy ’ s capability, its developer implemented it using an old script language known as jscript ( followed by ecmascript 3 ), and designed it to support multiple communi…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1189Drive-by Compromise
32%
“only one we received was a short script for stealing the cookie values of injected websites on browsers. we also discovered additional script files hosted on one of peckbirdy ’ s server ( belonging to shadow - void - 044 ) which appear to be delivered and executed through peckbir…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.