In the entries, the string
200 refers to HTTP response code 200 where the POST request was successful, and the string
500 refers to HTTP code 500 where the POST request was not processed successfully by the web server. These code 500 entries happened when the
w3wp.exe process loaded the uploaded DLLs into memory and temporarily froze.
Searching the IIS access logs for entries like these is a good idea even if you don’t explicitly know whether you use Telerik UI, as some web applications require the suite as a dependency behind the scenes.
If you have endpoint detection and response (EDR) or similar tools, you’ll notice
cmd.exe or other suspicious processes spawning from
Execution and evasion
The primary payload distributed by Blue Mockingbird is a version of XMRIG packaged as a DLL. XMRIG is a popular, open-source Monero-mining tool that adversaries can easily compile into custom tooling. During the incidents, we noted three distinct uses.
The first use was execution with
rundll32.exe explicitly calling the DLL export
fackaaxv (T1218.011: Rundll32). This export seems unique to this actor’s payloads and doesn’t seem to happen other places in the wild:
The next use was execution using
regsvr32.exe using the
/s command-line option (T1218.010: Regsvr32). Supplying the
/s switch executes the
DllRegisterServer export exposed by the DLL payload. This export ultimately passed control of execution into the function that
regsvr32.exe /s dialogex.dll
The final execution path was with the payload configured as a Windows Service DLL (T1569.002: Service Execution). Once configured, execution of the service invoked the export
ServiceMain, which again passed control to
Come for the exploit, stay for the mining
Blue Mockingbird leveraged multiple techniques for persistence during incidents. The most novel technique was the use of a
COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders (T1559.001: Component Object Model). To use
COR_PROFILER, they used
wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload.