Blue Mockingbird
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Blue Mockingbird has used wmic.exe to set environment variables.[1] |
|
| Enterprise | T1546 | .003 | 事件触发执行: Windows Management Instrumentation Event Subscription |
Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.[1] |
| Enterprise | T1090 | 代理 |
Blue Mockingbird has used FRP, ssf, and Venom to establish SOCKS proxy connections.[1] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.[1] |
| Enterprise | T1112 | 修改注册表 |
Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.[1] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.[1] |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.[1] |
|
| Enterprise | T1574 | .012 | 劫持执行流: COR_PROFILER |
Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Blue Mockingbird has used batch script files to automate execution and deployment of payloads.[1] |
||
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.[1] |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Blue Mockingbird has obfuscated the wallet address in the payload binary.[1] |
| Enterprise | T1218 | .010 | 系统二进制代理执行: Regsvr32 |
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.[1] |
| .011 | 系统二进制代理执行: Rundll32 |
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.[1] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.[1] |
| Enterprise | T1588 | .002 | 获取能力: Tool |
Blue Mockingbird has obtained and used tools such as Mimikatz.[1] |
| Enterprise | T1134 | 访问令牌操控 |
Blue Mockingbird has used JuicyPotato to abuse the |
|
| Enterprise | T1496 | .001 | 资源劫持: Compute Hijacking |
Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.[1] |
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.[1] |
| .002 | 远程服务: SMB/Windows Admin Shares |
Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.[1] |
||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.[1] |