Blue Mockingbird

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Blue Mockingbird is a threat actor group that emerged in December 2019, known for its sophisticated cyber attacks primarily aimed at mining Monero cryptocurrency. The group achieves initial access by exploiting public-facing web applications, specifically those using Telerik UI for ASP.NET AJAX. This suite of user interface components, while useful for accelerating the web development process, has some versions susceptible to a deserialization vulnerability (CVE-2019-18935), which Blue Mockingbird exploits as a common point of entry. In at least two incidents, the group has successfully exploited these vulnerabilities to gain access. Once inside, Blue Mockingbird deploys its primary payload, a version of XMRIG packaged as a dynamic-link library (DLL) on Windows systems. To ensure persistence, the group leverages multiple techniques, including the COR_PROFILER mechanism, and in some instances, creates new services to perform similar actions. However, it's worth noting that the initial access does not provide the necessary privileges to establish these persistence mechanisms, indicating an escalation of privileges post-access. Blue Mockingbird exhibits a preference for lateral movement across the network, distributing mining payloads opportunistically across an enterprise. We've observed the group using a combination of Remote Desktop Protocol and Windows Explorer for accessing privileged systems and distributing payloads to remote systems. Additionally, the group has been seen experimenting with different tools to create SOCKS proxies for pivoting. Such advanced tactics underline the group's evolving capabilities and persistent threat to cybersecurity.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Blue Mockingbird Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Blue Mockingbird activity mines Monero cryptocurrency