Blue Mockingbird

Blue Mockingbird is a threat actor group that emerged in December 2019, known for its sophisticated cyber attacks primarily aimed at mining Monero cryptocurrency. The group achieves initial access by exploiting public-facing web applications, specifically those using Telerik UI for ASP.NET AJAX. This suite of user interface components, while useful for accelerating the web development process, has some versions susceptible to a deserialization vulnerability (CVE-2019-18935), which Blue Mockingbird exploits as a common point of entry. In at least two incidents, the group has successfully exploited these vulnerabilities to gain access. Once inside, Blue Mockingbird deploys its primary payload, a version of XMRIG packaged as a dynamic-link library (DLL) on Windows systems. To ensure persistence, the group leverages multiple techniques, including the COR_PROFILER mechanism, and in some instances, creates new services to perform similar actions. However, it's worth noting that the initial access does not provide the necessary privileges to establish these persistence mechanisms, indicating an escalation of privileges post-access. Blue Mockingbird exhibits a preference for lateral movement across the network, distributing mining payloads opportunistically across an enterprise. We've observed the group using a combination of Remote Desktop Protocol and Windows Explorer for accessing privileged systems and distributing payloads to remote systems. Additionally, the group has been seen experimenting with different tools to create SOCKS proxies for pivoting. Such advanced tactics underline the group's evolving capabilities and persistent threat to cybersecurity.