Title: Hunting for Blue Mockingbird Coinminers

Description:
During March-May 2020 the Blue Mockingbird group infected thousands of computer systems, mainly in the enterprise environments. There are known incidents in which they exploited the CVE-2019-18935 vulnerability in Telerik Web UI for ASP.NET, then they used various backdoors and finally, they deployed XMRig-based CoinMiners for mining Monero cryptocurrency. Interesting about these cases is the persistence which they used for CoinMiners - lot of techniques including scheduled tasks, services, but also WMI Event Subscription and COR Profilers.

During forensic analysis and incident response process it was possible to find these persistences and many coinminers artifacts, but malware samples responsible for their installation and persistence creation have been missing. However, when we enriched results of the standard malware analysis with the Threat Intelligence data and OSInt, we were able to find the missed pieces of puzzle and reconstruct the original attack chain including the initial exploitation, local privilege exploit, two backdoors, main payload and multiple persistence techniques. Moreover, this research reveal many about the tools, techniques and procedures (TTP) of Blue Mockingbird Threat Actor.

Finally, with more knowledge about the attackers it is possible to collect more samples of coinminers used by them. After next step of reconnaissance we can get insight into profit of their attacks and compare them with the damages caused by these attacks.

Speaker(s): Ladislav B

Location: Recon Vlg

Discord: https://discord.com/channels/7082082...33566051418193

Event starts: 2020-08-08 12:00 (12:00 PM) PDT (UTC -07:00)

Event ends: 2020-08-08 12:30 (12:30 PM) PDT (UTC -07:00)

For the most up-to-date information, please either visit https://info.defcon.org, or use HackerTracker, which is available for iOS and Android. This is an automated message, and this data was last modified 2020-08-05T23:33 (UTC).