Blue Mockingbird Malware Gang Infect Thousands of Enterprise Systems

It’s believed that thousands of various enterprise systems have been infected with a new kind of cryptocurrency mining malware. This malware is operated by a single group, and is tracked under the codename “Blue Mockingbird.”

New Group Emerging Since December Of 2019

This was discovered only earlier this month, having been uncovered by malware analysts from Red Canary, a cloud security firm. It’s suspected that this group has been active since December of 2019, as well.

These researchers explained that Blue Mockingbird’s favored target is attacking public-facing servers, particularly those running apps on ASP.NET within a Telerik framework. This is in order to leverage the components of its UI.

The Way They Work

The hackers exploit a very specific vulnerability, CVE-2019-18935, to plant a web shell within the attacked server. From there, they leverage a version of the Juicy Potato technique to allow themselves admin-level access within the server. From there, it’s a simple matter of modifying server settings in order to maintain persistence even after rebooting.

Once full access to the system is established, they download and install a version of XMR rig, which is a popular app to allow for crypto mining of the Monero (XMR) cryptocurrency.

Monero Price Analysis

Experts of Red Canary explained that should these public-facing IIS servers are, in turn, connected to the internal network of the respective company, the group will try to spread. They will do this through weakly-secured Remote Desktop Protocol, or RDP, or Server Message Block (SMB) connections.

Speculated To Be Larger Than Recorded

Through an email interview conducted earlier this month, Red Canary explained that they don’t have a full scope of the botnet’s operations. However, the security firm has speculated that there’s a minimum of 1,000 infections so far, guessing this from the minimal visibility they already have.

A spokesperson from Red Canary explained that they have minimal visibility of the threat landscape, due to the nature of being a security company. Thus, they have no concept of the exact scope of the threat.

Red Canary did, however, speculate that it’s affected by a small percentage of organizations whose endpoints are monitored by the security firm. Even so, Red Conary cautioned that it had observed about 1,000 infections within these organizations, and these infections occurred in a concise amount of time.

As such, Red Conary stated that the total amount of companies that have been impacted could be far higher. Furthermore, they warned that companies who believe themselves safe from this threat could be at risk of attack, as well.

Top brokers for buying and trading cryptocurrencies

  • Platform
  • Features
  • Rating
  • Visit Site
  • US-Friendly
  • Paypal accepted
  • 12+ cryptocurrencies

Visit Site
75% of retail investors lose money.
eToro Reviews

    eToro Reviews your account
    Hide eToro Reviews
    • Best broker for non-US countries
    • Trade crypto CFDs, forex and stocks
    • No withdrawal or deposit fees

    Visit Site
    80.5% of retail investors lose money.
    Plus500 Reviews

      Plus500 Reviews your account
      Hide Plus500 Reviews
      Remember, all trading carries risk. Past performance is no guarantee of future results.

      A journalist, with experience in web journalism and marketing. Ali holds a master's degree in finance and enjoys writing about cryptocurrencies and fintech. Ali’s work has been published on a number of cryptocurrency publications.