Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat detection

Keeping tabs on Blue Mockingbird

Watch Red Canary Intelligence Analyst Tony Lambert share some new developments on the Blue Mockingbird Monero miner and walk through how to detect this rising threat.

Tony Lambert
Originally published . Last modified .

Since disclosing the Blue Mockingbird Monero miner back in May, we’ve heard from readers all over the world who recognized the activity on their own systems. These new incidents underscore the opportunistic nature of this threat, as many organizations may not realize that they’re running an application that uses the Telerik UI toolset.

In this video, Red Canary Intelligence Analyst Tony Lambert walks through a detailed detection review of what Blue Mockingbird looks like on enterprise systems, touching on the following:

  • Why service accounts are particularly vulnerable to this threat
  • Novel persistence methods leveraging COR_PROFILER and Windows Event subscriptions
  • A breakdown of the multi-purpose payload
  • An outlier incident: we’re still figuring out how this thing works!

 

 

EDITOR’S NOTE: The narration at 6:23 incorrectly states that, “Prior to compromise, this [wercplsupport] service start-type should be ‘auto’ instead of ‘manual’.” The slide, however, correctly states that the default start-type configuration is in fact “manual.” The adversary modified the start-type and set it to “auto.”

Our research continues

If you think you’ve seen Blue Mockingbird activity on your own system, or if you have any questions about this threat, get in touch!

 

 

eBPF: A new frontier for malware

 

Crude OilRig: Drilling into MITRE’s Managed Service Evaluations

 

Why so, ISO? Mark-of-the-Web, explained

 

Going off script: Thwarting OSA, AppleScript, and JXA abuse

Subscribe to our blog

 
 
Back to Top