Blue Mockingbird

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Blue Mockingbird is a threat actor group that emerged in December 2019, known for its sophisticated cyber attacks primarily aimed at mining Monero cryptocurrency. The group achieves initial access by exploiting public-facing web applications, specifically those using Telerik UI for ASP.NET AJAX. This suite of user interface components, while useful for accelerating the web development process, has some versions susceptible to a deserialization vulnerability (CVE-2019-18935), which Blue Mockingbird exploits as a common point of entry. In at least two incidents, the group has successfully exploited these vulnerabilities to gain access. Once inside, Blue Mockingbird deploys its primary payload, a version of XMRIG packaged as a dynamic-link library (DLL) on Windows systems. To ensure persistence, the group leverages multiple techniques, including the COR_PROFILER mechanism, and in some instances, creates new services to perform similar actions. However, it's worth noting that the initial access does not provide the necessary privileges to establish these persistence mechanisms, indicating an escalation of privileges post-access. Blue Mockingbird exhibits a preference for lateral movement across the network, distributing mining payloads opportunistically across an enterprise. We've observed the group using a combination of Remote Desktop Protocol and Windows Explorer for accessing privileged systems and distributing payloads to remote systems. Additionally, the group has been seen experimenting with different tools to create SOCKS proxies for pivoting. Such advanced tactics underline the group's evolving capabilities and persistent threat to cybersecurity.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Vulnerability

Windows

T1090

Proxy

Payload

exploited

t1021.001

T1190

t1021.002

exploitation

Telerik

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Xmrig	Unspecified	1	XMRig is a type of malware that is particularly harmful to computer systems and devices. It infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CVE-2019-18935	Unspecified	1	CVE-2019-18935 is a .NET deserialization vulnerability in the Progress Telerik user interface (UI) for ASP.NET AJAX, located in Microsoft's Internet Information Services (IIS) web server. This flaw in software design or implementation was exploited by multiple cyber threat actors, including an Advan

Source Document References

Information about the Blue Mockingbird Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Blue Mockingbird activity mines Monero cryptocurrency