Home Malware Programs Advanced Persistent Threat (APT) Blue Mockingbird Malware

Blue Mockingbird Malware

Posted: May 26, 2020

The Blue Mockingbird Malware is a Remote Access Trojan with a Web shell for giving an attacker control over a compromised server. The threat may propagate throughout internal networks, as well as by attackers using ASP.NET Telerik UI vulnerabilities. Most anti-malware tools should detect and delete the Blue Mockingbird Malware, along with well-configured firewalls providing additional protection.

The Mocking Call of an Easily Overlookable Vulnerability

New confirmation of a threat actor that's at least a year seasoned is showing that server admins can't afford to sleep on their security precautions. The Blue Mockingbird group is turning software vulnerabilities into cryptocurrency-mining opportunities but does so in ways that work around some patching solutions. One or two saving graces to the rapidly-spreading the Blue Mockingbird Malware campaign is its dependency on ASP.NET – which leaves it less likely to compromise the recreational, everyday PC owner at home.

The Blue Mockingbird Malware is a backdoor Trojan using a corrupted Web shell as its means of remote control. This Web browser-based shell implementation lets attackers exert control over servers with a command line-like interface. It's unsuitable for non-server Windows environments, and its threat actors are deploying it against enterprise-grade businesses that are weak to their preferred vulnerability-exploiting sequence.

The Blue Mockingbird leverages CVE-2019-18935, one of the most-exploited vulnerabilities for Web shell implantation as of 2020, for attacking servers through a Telerik UI vulnerability that facilitates remote code execution. This weakness exists from the version state of the ASP.NET application separately, which means that users could experience a breach even if their applications are fully-up-to-date. The installation of the Blue Mockingbird Malware also requires additional exploits, although Blue Mockingbird is compensating via a privilege escalation tool (Juicy Potato, a fork of RottenPotatoNG) currently.

Silencing the Call of Bird-Themed Bandits

The Blue Mockingbird Malware's higher goal is, as usually is the final tally, monetizing the systems that it takes over. The Trojan's structure runs in the same style as a botnet, or distributed network of 'zombie' clients, each of which receives a non-consensual installation of XMRig. XMRig is a Monero-mining application that's notable for its generally-low resource overhead and regular abuse by different criminal operations, such as the attacks of Beapy, the Golang worm or Norman.

Administrators should be attentive to the versions of all software and pay attention, in this case, to the update state of Telerik UI components. Versions from 2020.1.114 onwards should require no additional protection due to default settings that block the remote code execution. When there is no possibility of updating the user interface, solutions may require other measures, such as rigorous firewall settings.

Anti-malware products with databases inclusive of Web shell-based threats may detect and delete the Blue Mockingbird Malware. Users also should check for aftereffects of infections, such as cryptocurrency miners.

As an opportunistic attacker, much like a scavenger in nature, the Blue Mockingbird Malware gets its mining done off of the backs of the unprotected. It's a sad but inescapable truth that as server software grows in complexity, threat actors will continue finding gaps that they widen into backdoors.

Loading...