Blue MockingBird Monero Cryptocurrency-mining campaign exploits a vulnerability in public-facing web applications built on ASP.NET
Cybercriminals are exploiting a deserialization vulnerability, CVE-2019-18935, to achieve remote code execution before moving laterally through the enterprise. This exploitation was discovered by an analyst at Red Canary. The Analyst named the campaign Blue Mockingbird.
The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX. The vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on the chaining of exploits.
XMRig is open-source and can be compiled into custom tooling, according to the analysis. Red Canary has observed three distinct execution paths: Execution with rundll32.exe explicitly calling the DLL export “fackaaxv”, execution using regsvr32.exe using the /s command-line option, and execution with the payload configured as a Windows Service DLL.
“Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address,” said the Analyst at Red Canary, on Thursday.
“So far, we’ve identified two wallet addresses used by Blue Mockingbird that are inactive circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.” added the analyst.
Armed with the proper privileges, Blue Mockingbird leveraged multiple persistence techniques, including the use of a COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders, according to Red Canary.
“To use COR_PROFILER, they used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload,” added by the analyst.
Blue Mockingbird likes to move laterally to distribute mining payloads across an enterprise, added researchers. The attackers do this by using their elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems and then Windows Explorer to then distribute payloads to remote systems.
“In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies for pivoting,” said the researchers. “These tools included a fast reverse proxy (FRP), Secure Socket Funneling (SSF), and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form.”
In terms of preventing the threat, patching web servers, web applications and dependencies of the applications to inhibit initial access is the best bet, according to Red Canary.