Blue Mockingbird Malware

Posted: May 26, 2020

Blue Mockingbird Malware Description

The Blue Mockingbird Malware is a Remote Access Trojan with a Web shell for giving an attacker control over a compromised server. The threat may propagate throughout internal networks, as well as by attackers using ASP.NET Telerik UI vulnerabilities. Most anti-malware tools should detect and delete the Blue Mockingbird Malware, along with well-configured firewalls providing additional protection.

The Mocking Call of an Easily Overlookable Vulnerability

New confirmation of a threat actor that's at least a year seasoned is showing that server admins can't afford to sleep on their security precautions. The Blue Mockingbird group is turning software vulnerabilities into cryptocurrency-mining opportunities but does so in ways that work around some patching solutions. One or two saving graces to the rapidly-spreading the Blue Mockingbird Malware campaign is its dependency on ASP.NET – which leaves it less likely to compromise the recreational, everyday PC owner at home.

The Blue Mockingbird Malware is a backdoor Trojan using a corrupted Web shell as its means of remote control. This Web browser-based shell implementation lets attackers exert control over servers with a command line-like interface. It's unsuitable for non-server Windows environments, and its threat actors are deploying it against enterprise-grade businesses that are weak to their preferred vulnerability-exploiting sequence.

The Blue Mockingbird leverages CVE-2019-18935, one of the most-exploited vulnerabilities for Web shell implantation as of 2020, for attacking servers through a Telerik UI vulnerability that facilitates remote code execution. This weakness exists from the version state of the ASP.NET application separately, which means that users could experience a breach even if their applications are fully-up-to-date. The installation of the Blue Mockingbird Malware also requires additional exploits, although Blue Mockingbird is compensating via a privilege escalation tool (Juicy Potato, a fork of RottenPotatoNG) currently.

Silencing the Call of Bird-Themed Bandits

The Blue Mockingbird Malware's higher goal is, as usually is the final tally, monetizing the systems that it takes over. The Trojan's structure runs in the same style as a botnet, or distributed network of 'zombie' clients, each of which receives a non-consensual installation of XMRig. XMRig is a Monero-mining application that's notable for its generally-low resource overhead and regular abuse by different criminal operations, such as the attacks of Beapy, the Golang worm or Norman.

Administrators should be attentive to the versions of all software and pay attention, in this case, to the update state of Telerik UI components. Versions from 2020.1.114 onwards should require no additional protection due to default settings that block the remote code execution. When there is no possibility of updating the user interface, solutions may require other measures, such as rigorous firewall settings.

Anti-malware products with databases inclusive of Web shell-based threats may detect and delete the Blue Mockingbird Malware. Users also should check for aftereffects of infections, such as cryptocurrency miners.

As an opportunistic attacker, much like a scavenger in nature, the Blue Mockingbird Malware gets its mining done off of the backs of the unprotected. It's a sad but inescapable truth that as server software grows in complexity, threat actors will continue finding gaps that they widen into backdoors.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Blue Mockingbird Malware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.