Blue Mockingbird Malware Gang Infect Thousands of Enterprise Systems Author: Ali Raza Last Updated: 27 May 2020 It’s believed that thousands of various enterprise systems have been infected with a new kind of cryptocurrency mining malware. This malware is operated by a single group, and is tracked under the codename “Blue Mockingbird.” New Group Emerging Since December Of 2019 This was discovered only earlier this month, having been uncovered by malware analysts from Red Canary, a cloud security firm. It’s suspected that this group has been active since December of 2019, as well. These researchers explained that Blue Mockingbird’s favored target is attacking public-facing servers, particularly those running apps on ASP.NET within a Telerik framework. This is in order to leverage the components of its UI. The Way They Work The hackers exploit a very specific vulnerability, CVE-2019-18935, to plant a web shell within the attacked server. From there, they leverage a version of the Juicy Potato technique to allow themselves admin-level access within the server. From there, it’s a simple matter of modifying server settings in order to maintain persistence even after rebooting. Once full access to the system is established, they download and install a version of XMR rig, which is a popular app to allow for crypto mining of the Monero (XMR) cryptocurrency. Experts of Red Canary explained that should these public-facing IIS servers are, in turn, connected to the internal network of the respective company, the group will try to spread. They will do this through weakly-secured Remote Desktop Protocol, or RDP, or Server Message Block (SMB) connections. Speculated To Be Larger Than Recorded Through an email interview conducted earlier this month, Red Canary explained that they don’t have a full scope of the botnet’s operations. However, the security firm has speculated that there’s a minimum of 1,000 infections so far, guessing this from the minimal visibility they already have. A spokesperson from Red Canary explained that they have minimal visibility of the threat landscape, due to the nature of being a security company. Thus, they have no concept of the exact scope of the threat. Red Canary did, however, speculate that it’s affected by a small percentage of organizations whose endpoints are monitored by the security firm. Even so, Red Conary cautioned that it had observed about 1,000 infections within these organizations, and these infections occurred in a concise amount of time. As such, Red Conary stated that the total amount of companies that have been impacted could be far higher. Furthermore, they warned that companies who believe themselves safe from this threat could be at risk of attack, as well.