← All Threat Actors
Threat Actor Profile

Blue Mockingbird

G0108
Ongoing Monero Mining Operations
Origin
Motivation Financial Gain (Cryptomining)

Target Sectors

Organizations utilizing Telerik UI for ASP.NET AJAX Public-facing Windows servers Enterprise environments with exposed web applications

Known TTPs

Exploitation of CVE-2019-18935 (Telerik UI for ASP.NET AJAX)
Deployment of custom-compiled XMRIG Monero miner DLLs
Execution via the 'wercplsupport' service
Lateral movement via SMB using Windows Explorer to copy malicious files
Use of SOCKS proxies (FRP, ssf, and Venom) for C2 communications
Utilization of wmic.exe to configure environment variables
Proxying traffic to mask the source of malicious activity

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD