XMRig Continues to Evolve as Blue Mockingbird Gang Targets Enterprise Systems

Since the past some time, adversaries have been using XMRig, the open-source Monero-mining malicious software, to churn out victim’s resources for crypto-currencies. Recently, another hacker group has been observed targeting enterprise systems with cryptocurrency-mining malware XMRig.

What happened

  • In May 2020, the Blue Mockingbird group had infected thousands of enterprise systems with a version of XMRig, and moving laterally across the network using a combination of the Remote Desktop Protocol (RDP) and Server Message Block (SMB) protocol to access privileged systems and Windows Explorer.
  • The group has been deploying XMRig related payloads in Dynamic-Link Library (DLL) form on Windows systems. Roughly 1,000 infections have been observed over a short amount of time.

Recent attacks by Blue Mockingbird

  • In early-May, Blue Mockingbird attackers were observed leveraging unpatched versions of Telerik UI for ASP.NET, deploying the XMRig Monero-mining payload in a dynamic-link library (DLL) form, then executing it and establishing persistence using multiple techniques.
  • In both attacks, the attackers exploited the CVE-2019-18935 vulnerability to plant a web shell on the attacked server and used a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence.

Other attacks using XMRig miner

According to Check Point Research’s Global Threat Index for April 2020, XMRig impacted a total of 3% of organizations worldwide. It was the most prevalent malware of March 2020.
  • In April 2020, VictoryGate botnet was observed spreading XMRig malware as its secondary payload to mine crypto-currency.
  • In February 2020, threat actors abused Bitbucket to spread XMRig and other malware to get as much sensitive data as possible. In the same month, cybercriminals leveraged the “self-spreading” variant of the Lemon Duck malware to target IoT devices embedded with Windows 7 via the XMRig mining tool.
  • In January 2020, a new threat actor ‘Vivin’ was found using XMRig malware for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts. The hacker used several methods of persistence to keep the XMRig mining software on the victimized hosts.

Stay safe

Users should install an ad-blocking or anti-crypto mining extension on web browsers. Use up-to-date endpoint protection/antivirus software and web filtering tools. Businesses should focus on patching web servers, web applications, and dependencies of the applications.