May 11, 2020
By David Bisson 2 min read

A grouping of similar threat activity dubbed “Blue Mockingbird” attempted to distribute Monero-mining malware payloads across its enterprise targets.

Red Canary Intel discovered that the earliest examples of Blue Mockingbird traced back to December 2019. In two of the incidents investigated by the security firm, the threat gained entry into a targeted organization’s network by exploiting a deserialization vulnerability (CVE-2019-18935) affecting public-facing web applications that implemented Telerik UI for ASP.NET AJAX. This process enabled the threat to upload two dynamic-link libraries (DLLs) to a Windows IIS web server’s web app.

The main payload dropped by Blue Mockingbird was XMRig, a well-known Monero-mining tool that adversaries have commonly incorporated into their attack campaigns. Not content with one victim, digital attackers commonly abused the remote desktop protocol (RDP) to move laterally throughout the network so they could distribute payloads throughout the enterprise. This increased the overall efficacy and profitability of a single attack instance.

Other Recent Monero-Mining Campaigns

Blue Mockingbird isn’t the sole Monero-mining attack campaign that’s targeted enterprises in recent years. Back in early 2018, for instance, Kaseya issued a series of patches in response to a vulnerability that some malicious actors had abused to target vulnerable organizations with Monero-mining software.

In May 2018, Imperva observed digital attackers exploiting a remote code execution (RCE) vulnerability to spread the ‘Kitty’ Monero miner. More than a year later in October 2019, Palo Alto Networks’ Unit 42 spotted a cryptojacking worm spreading through containers in the Docker Engine to activate a Monero miner.

Defend Against Blue Mockingbird

Security professionals can help defend their organizations against threat activity such as Blue Mockingbird by using risk assessments to determine the impact that a Monero-mining attack could have on their business assets. Infosec teams should also disable JavaScript in browsers wherever feasible and use updated threat intelligence to stay on top of the latest crypto-mining attacks.

 |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...

More from

News   March 27, 2023

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

Risk Management   March 27, 2023

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

Risk Management   March 24, 2023

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Threat Research   March 23, 2023

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature