Security News > 2020 > May > Blue Mockingbird Monero-Mining Campaign Exploits Web Apps

A Monero cryptocurrency-mining campaign has emerged that exploits a known vulnerability in public-facing web applications built on the ASP.NET open-source web framework.

The campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity.

In the current attacks, Blue Mockingbird attackers are uncovering unpatched versions of Telerik UI for ASP.NET, deploying the XMRig Monero-mining payload in dynamic-link library form on Windows systems, then executing it and establishing persistence using multiple techniques.

To establish persistence, Blue Mockingbird actors must first elevate their privileges, which they do using various techniques; for instance, researchers observed them using a JuicyPotato exploit to escalate privileges from an IIS Application Pool Identity virtual account to the NT AuthoritySYSTEM account.

Blue Mockingbird likes to move laterally to distribute mining payloads across an enterprise, added researchers.

News URL

https://threatpost.com/blue-mockingbird-monero-mining/155581/