Researchers at Red Canary Intel have warned about a new threat which they dubbed Blue Mockingbird that is deploying Monero cryptocurrency-mining payloads on Windows machines at multiple organizations.
“Blue Mockingbird” refers to a cluster of similar activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows system. The initial access is achieved by exploiting public-facing web applications that implemented Telerik UI for ASP.NET AJAX, a suite of user interface components to accelerate the web development process.
Some versions of the suite, researchers say, contain a deserialization vulnerability (CVE-2019-18935), which can allow remote code execution. The flaw is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.
The vulnerability affects RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means.
In the observed attacks, the threat actor exploited the unpatched versions of Telerik UI for ASP.NET to deploy the XMRig Monero-mining payload in dynamic-link library (DLL) form on Windows systems and then established persistence on the compromised systems using multiple techniques.
The most novel technique was the use of a COR_PROFILER COM hijack to execute a malicious DLL. To use COR_PROFILER, the attackers used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload.
In one of the observed cases hackers used a JuicyPotato exploit to escalate privileges to the highest level of privilege on a system, and in another instance they used Mimikatz (the official signed version) to access credentials for logon.
The researchers said the “Blue Mockingbird” campaign has been active since December 2019 and continued through April at least.
“For mitigations, focus on patching web servers, web applications, and dependencies of the applications. Most of the techniques used by Blue Mockingbird will bypass whitelisting technologies, so the best route will be to inhibit initial access,” the researchers advised.