Blue Mockingbird Malware Description
The Blue Mockingbird Malware is an organization run by hackers who appear to have the end goal of creating and running a botnet that would mine cryptocurrency. This hacking group first appeared in December 2019. The servers that the attackers target are very specific - the only common trait the victims have between them is that they almost always run the Telerik UI framework alongside variable ASP.NET utilities. Doing so enables the attackers to exploit a vulnerability known as CVE-2019-18935. This vulnerability would allow the Blue Mockingbird Malware to plant a shell on the targeted system and therefore take control over it.
Usually, attacks like that aim at collecting sensitive files, confidential data, personal details, etc. However, instead of carrying out a reconnaissance operation, the Blue Mockingbird Malware has opted to install a cryptocurrency miner on the targeted servers that they compromise. The cryptocurrency miner in question is a trojanized variant of the famous XMRig miner. This tool mines for the Monero cryptocurrency. In recent years more and more cybercriminals opt to use botnets for mining cryptocurrency as this has proven to be a very profit-make venture.
The Blue Mockingbird Malware’s botnet is still rather small in size. This is due to the fact that this hacking group goes after very specific targets. There are approximately 1,000 servers that have been hijacked by the Blue Mockingbird Malware. To spread laterally on the compromised network, the cyber crooks are using poorly secured SMB (Server Message Block) and RDP (Remote Desktop Protocol) connections.
If you are using the Telerik framework, make sure to apply the latest updates, which are meant to patch the vulnerability that allows the Blue Mockingbird Malware to exploit servers.