XMRig Continues to Evolve as Blue Mockingbird Gang Targets Enterprise Systems

What happened

• In May 2020, the Blue Mockingbird group had infected thousands of enterprise systems with a version of XMRig, and moving laterally across the network using a combination of the Remote Desktop Protocol (RDP) and Server Message Block (SMB) protocol to access privileged systems and Windows Explorer.
• The group has been deploying XMRig related payloads in Dynamic-Link Library (DLL) form on Windows systems. Roughly 1,000 infections have been observed over a short amount of time.

Recent attacks by Blue Mockingbird

• In early-May, Blue Mockingbird attackers were observed leveraging unpatched versions of Telerik UI for ASP.NET, deploying the XMRig Monero-mining payload in a dynamic-link library (DLL) form, then executing it and establishing persistence using multiple techniques.
• In both attacks, the attackers exploited the CVE-2019-18935 vulnerability to plant a web shell on the attacked server and used a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence.

Other attacks using XMRig miner

• In April 2020, VictoryGate botnet was observed spreading XMRig malware as its secondary payload to mine crypto-currency.
• In February 2020, threat actors abused Bitbucket to spread XMRig and other malware to get as much sensitive data as possible. In the same month, cybercriminals leveraged the “self-spreading” variant of the Lemon Duck malware to target IoT devices embedded with Windows 7 via the XMRig mining tool.
• In January 2020, a new threat actor ‘Vivin’ was found using XMRig malware for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts. The hacker used several methods of persistence to keep the XMRig mining software on the victimized hosts.

Stay safe