Over the years, cryptocurrency has evolved as a perpetual form. The exponential rise in its market value lures many technocrats. But with such growing numbers also lures some intruder. Recently, a vulnerability discovered by Red Canary Intel has been alleged to escalate Remote Code Execution. The vulnerability (CVE-2019-18935) attempted to distribute Monero-mining malware payloads across many enterprises and private firms. The earliest examples of Blue Mockingbird traced back in December 2019.
Cybersecurity security personnel at Red canary Intel recorded two of such incidents. In both cases, hackers gained entry into a targeted organization’s network by exploiting a deserialization vulnerability (CVE-2019-18935). This adversely affected public-facing web applications that implemented Telerik UI for ASP.NET AJAX. The threat process enabled the malware to upload two dynamic-link libraries (DLLs) to a Windows IIS web server’s web app. Apart, it is assumed that Blue Mockingbird maybe testing with various tools to create SOCKS proxies for pivoting.
“Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address, “So far, we’ve identified two wallet addresses used by Blue Mockingbird that are inactive circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success.” explained researchers at Red Canary.
Initially, the Blue Mockingbird threat actors were unable to elevate system privileges, later on, they found various techniques for the privilege escalation. For example, researchers observed them using a JuicyPotato exploit to escalate privileges from a virtualize identities IIS account to the NT Authority\SYSTEM account. Furthermore, the officially signed version of Mimikatz tool was used as a gateway to login with user credentials.
Blue Mockingbird acts like a self-distributing malware that spread itself across one enterprise to another and so on, said researchers. The attackers perform this by appending elevated privileges and Remote Desktop Protocol (RDP) to access privileged systems and then use Windows Explorer as a mediator to traverse the payloads to the remote system
What goes around the backend?
The insights of vulnerability show that two dynamic-link libraries (DLLs) are uploaded to a web application running on a Windows IIS web server. Furthermore, investigators found that the executable file w3wp.exe is overwriting the DLLs to disk which then immediately loads it into the memory. In some cases, this will cause w3wp.exe to temporarily freeze and fail to successfully serve HTTP responses.
How will you diagnose Blue Mockingbird payload?
So to diagnose yourself from being affected by Telerik CVE, you may search for IIS log entries Telerik.Web.UI.WebResource.axd.. To figure out the mishap entries, you can crosscheck it below:
2020-04-29 02:01:24 10.0.0.1 POST /Telerik.Web.UI.WebResource.axd type=rau 80 – Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 – 200 0 0 625 2020-04-29 02:01:27 10.0.0.1 POST /Telerik.Web.UI.WebResource.axd type=rau 80 – Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:54.0)+Gecko/20100101+Firefox/54.0 – 500 0 0 46
We recommend the following analytics:
Execute cmd.exe with Terminal consisting sc AND config AND wercplsupporte.dll
Any process where Terminal consisting -t AND -c AND -l with network connections from 127.0.0.1 and to 127.0.0.1 on port tcp135 (JuicyPotato)
Execute schtasks.exe with Terminal consisting /create AND sc start wercplsupport
Execute rundll32.exe with Terminal consisting fackaaxv
Execute regsvr32.exe with Terminal consisting /s and having an external network connection
Execute wmic.exe with Terminal consisting create AND COR_PROFILER
Execute cmd.exe and parent process is services.exe
Additional info on Blue Mockingbird:
Currently, the campaign is unveiling unpatched versions of Telerik UI for ASP.NET.
The exploit on the vulnerability mainly lies in the RadAsyncUpload function.
Although the campaign is making marks, the toolkit is still a developing one.
- The vulnerability deploys the XMRig Monero-mining payload in a dynamic-link library (DLL) to establish persistence on Windows systems.
How can you mitigate the attack?
Patch web servers and web applications, and dependencies of the applications.
Prevent threats by patching dependencies of apps to evade initial access.
Almost every technique used by Blue Mockingbird shall bypass the whitelisting methodologies, thus, getting initial access via the best route.
It is better to establish a baseline of Windows Scheduled Tasks in your environment to know your enterprise activities behind the scene.