BEGIN:VCALENDAR
PRODID:-//vBulletin 6//EN
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
UID:5a06472f-adab-438c-943e-6be0bb0194c9
DTSTAMP:20260524T041532Z
SUMMARY:Hunting for Blue Mockingbird Coinminers
DESCRIPTION:Title: Hunting for Blue Mockingbird Coinminers\n\nDescription:\
 nDuring March-May 2020 the Blue Mockingbird group infected thousands of co
 mputer systems\, mainly in the enterprise environments. There are known in
 cidents in which they exploited the CVE-2019-18935 vulnerability in Teleri
 k Web UI for ASP.NET\, then they used various backdoors and finally\, they
  deployed XMRig-based CoinMiners for mining Monero cryptocurrency. Interes
 ting about these cases is the persistence which they used for CoinMiners -
  lot of techniques including scheduled tasks\, services\, but also WMI Eve
 nt Subscription and COR Profilers.\n\nDuring forensic analysis and inciden
 t response process it was possible to find these persistences and many coi
 nminers artifacts\, but malware samples responsible for their installation
  and persistence creation have been missing. However\, when we enriched re
 sults of the standard malware analysis with the Threat Intelligence data a
 nd OSInt\, we were able to find the missed pieces of puzzle and reconstruc
 t the original attack chain including the initial exploitation\, local pri
 vilege exploit\, two backdoors\, main payload and multiple persistence tec
 hniques. Moreover\, this research reveal many about the tools\, techniques
  and procedures (TTP) of Blue Mockingbird Threat Actor.\n\nFinally\, with 
 more knowledge about the attackers it is possible to collect more samples 
 of coinminers used by them. After next step of reconnaissance we can get i
 nsight into profit of their attacks and compare them with the damages caus
 ed by these attacks.\n\nSpeaker(s): Ladislav B\n\nLocation: Recon Vlg\n\nD
 iscord: https://discord.com/channels/708208267699945503/732733566051418193
 \n\nEvent starts: 2020-08-08 12:00 (12:00 PM) PDT (UTC -07:00)\n\nEvent en
 ds: 2020-08-08 12:30 (12:30 PM) PDT (UTC -07:00)\n\nFor the most up-to-dat
 e information\, please either visit https://info.defcon.org\, or use Hacke
 rTracker\, which is available for iOS and Android. This is an automated me
 ssage\, and this data was last modified 2020-08-05T23:33 (UTC).
URL:https://forum.defcon.org/node/234606
DTSTART:20200808T200000Z
DTEND:20200808T203001Z
LOCATION:Recon Vlg
END:VEVENT
END:VCALENDAR