Skip to content

G0108 Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.1

Item Value
ID G0108
Associated Names
Version 1.1
Created 26 May 2020
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Blue Mockingbird has used JuicyPotato to abuse the SeImpersonate token privilege to escalate from web application pool accounts to NT Authority\SYSTEM.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.1
enterprise T1059.003 Windows Command Shell Blue Mockingbird has used batch script files to automate execution and deployment of payloads.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.1
enterprise T1190 Exploit Public-Facing Application Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.012 COR_PROFILER Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.1
enterprise T1112 Modify Registry Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.1
enterprise T1027 Obfuscated Files or Information Blue Mockingbird has obfuscated the wallet address in the payload binary.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Blue Mockingbird has obtained and used tools such as Mimikatz.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.1
enterprise T1090 Proxy Blue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.1
enterprise T1021.002 SMB/Windows Admin Shares Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.1
enterprise T1496 Resource Hijacking Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.1
enterprise T1218.011 Rundll32 Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.1
enterprise T1082 System Information Discovery Blue Mockingbird has collected hardware details for the victim’s system, including CPU and memory information.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the “wercplsupport” service.1
enterprise T1047 Windows Management Instrumentation Blue Mockingbird has used wmic.exe to set environment variables.1

Software

ID Name References Techniques
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material

References