Quote:The campaign has been dubbed Blue Mockingbird by the analysts at Red Canary that discovered the activity. Research uncovered that the cybercriminal gang is exploiting a deserialization vulnerability, CVE-2019-18935, which can allow remote code execution. The bug is found in the Progress Telerik UI front-end offering for ASP.NET AJAX.
 
AJAX stands for Asynchronous JavaScript and XML; It’s used to add script to a webpage which is executed and processed by the browser. Progress Telerik UI is an overlay for controlling it on ASP.NET implementations.
 
The vulnerability lies specifically in the RadAsyncUpload function, according to the writeup on the bug in the National Vulnerability Database. This is exploitable when the encryption keys are known (via another exploit or other attack), meaning that any campaign relies on a chaining of exploits.
 
In the current attacks, Blue Mockingbird attackers are uncovering unpatched versions of Telerik UI for ASP.NET, deploying the XMRig Monero-mining payload in dynamic-link library (DLL) form on Windows systems, then executing it and establishing persistence using multiple techniques. From there, the infection propagates laterally through the network.

The activity appears to stretch back to December, according to the analysis, and continued through April at least.