Blue Mockingbird Malware Gang
I. Targeted Industries
- Higher Education
- General Businesses
- Financial Institutions
Malware researchers from cloud security firm Red Canary discovered a cryptocurrency mining malware called Blue Mockingbird Malware. This malware installs the popular mining application XMRRig on a user’s computers after modifying the server settings to acquire reboot persistence. According to researchers, public-facing servers attacked run ASP.NET apps that use the Telerik framework for their user interface (UI) component.
The malware was spotted this month, but malware analysts say the Blue Mockingbird group has been active since December of 2019. It is believed that the Blue Mockingbird Malware has infected thousands of enterprise systems with many users unaware of being infected. Many firms and developers may be unaware of whether the Telerik framework component is a part of their applications.
III. Background Information
The Blue Mockingbird Malware recently exploited public-facing web applications that use the Telerik user interface for ASP.NET AJAX. This is because the Telerik CVE-2019-18935 vulnerability is listed as one of the most exploited vulnerabilities used to plant web shells on servers. The gang exploited this vulnerability to place a web shell on the targeted server. This is carried out via a local privilege escalation tool called “JuicyPotato”. JuicyPotato allows an attacker to misuse the SeImpersonate token privilege and Windows DCOM to escalate privileges within a system. Once the hackers obtain admin access, they will modify server settings to get reboot persistence and download and install a version of XMRRig (a popular cryptocurrency mining app to mine Monero (XMR) cryptocurrency).
Additionally, Red Canary malware analysts have found that if the public-facing servers are connected to an organization’s internal network, the malware gang will try to spread through the Remote Desktop Protocol (RDP) and SMB (Server Message Block) connections.
- Patch Updates
Check to see if Telerik is part of your application and if so update the vulnerable applications.
- Deactivate Remote Desktop and Server Message Block Protocols
RDP and SMB should be deactivated, if not being used. If used, closely monitor remote access by checking for unusual activity in event logs.
- Block at the firewall level
Block exploitation attempts for CVE-2019-18935 at the firewall level (if there is no web firewall, check for the compromise at the workstation and server level).
- Malware Monitoring
Continue to monitor and stay informed as new information and advancements occur with the malware.
- Set Windows Scheduled Tasks
Establish a baseline of windows scheduled tasks in your system to identify what’s normal across the enterprise.
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Cimpanu, Catalin. “Thousands of Enterprise Systems Infected by New Blue Mockingbird Malware Gang.” ZDNet. ZDNet, May 25, 2020. https://www.zdnet.com/article/thousands-of-enterprise-systems-infected-by-new-blue-mockingbird-malware-gang/.
(2) Divya. “Blue Mockingbird Malware Gang Infected Thousands of Enterprise Systems.” Cybers Guards, May 26, 2020. https://cybersguards.com/blue-mockingbird-malware-gang-infected-thousands-of-enterprise-systems/.
(3) Lambert, Tony. “Blue Mockingbird Activity Mines Monero Cryptocurrency.” Red Canary, May 7, 2020. https://redcanary.com/blog/blue-mockingbird-cryptominer/
(4) R, Priyanka. “Blue Mockingbird Malware Gang Infects Enterprise Systems.” Latest Cyber Security News, Leading Cyber Security News, May 26, 2020. https://www.cybersafe.news/blue-mockingbird-malware-gang-infects-enterprise-systems/.