Blue Mockingbird malware processes Monero from enterprise systems

A new group of hackers has been targeting vulnerable enterprise systems and using them to process privacy coin Monero. The group is believed to have been active since December 2019 and infected thousands of systems.

Security researchers from U.S. cybersecurity firm Red Canary have been monitoring the group, which they referred to as Blue Mockingbird. According to the researchers, the hackers exploit public-facing web applications that depend on Telerik UI for ASP.NET, a framework used in web development. While it accelerates the web development process, it’s prone to CVE-2019-18935 vulnerability.

Once the hackers infiltrate the system, they deploy XMRIG, an open-source Monero processing tool that has proven a favorite for hackers.

The malware executes a number of strategies to increase its reach and avoid removal. One of them is exploiting weakly-secured remote desktop protocol connections to spread internally. It also executes a malicious DLL that restores all items removed by a system’s defenders.

Red Canary claims that the malware is not fully defined, with the hackers still experimenting with a few tools to find the best ones. The company further revealed to ZDNet that it doesn’t have a full overview of the malware’s activities.

“Like any security company, we have limited visibility into the threat landscape and no way of accurately knowing the full scope of this threat. This threat, in particular, has affected a very small percentage of the organizations whose endpoints we monitor. However, we observed roughly 1,000 infections within those organizations, and over a short amount of time,” the company stated.

The researchers predict that the malware could end up infecting many other systems, especially since it targets vulnerable Telerik UI components. Many companies don’t put measures in place to protect themselves from such an attack. In some cases, companies aren’t even aware that their systems rely on Telerik UI components.

Studies conducted by several global agencies, including the NSA show that Telerik UI vulnerabilities are among the most exploited by cybercriminals globally.

Red Canary was able to identify two Monero addresses that the hackers use. However, due to the private nature of Monero, they couldn’t establish how successful their campaign has been.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.