Cryptocurrency-Mining Campaign Hits ‘Thousands’ Of Enterprises

Security researchers find attackers breaking into public-facing Windows IIS web servers to install Monero-mining malware across networks

Security researchers have warned of a threat group that has potentially already infected thousands of Windows web servers with cryptocurrency-mining malware.

The malware campaign, which computer security firm Red Canary Intel refers to as Blue Mockingbird, exploits a vulnerability in Telerik, a user interface commonly found in web applications.

Many organisations may not even be aware they are running applications that contain the vulnerable code, and as such may have already been infected, Red Canary said.

The group said companies can see if they are potentially vulnerable by checking web access logs of their Windows IIS servers for mentions of Telerik.

World Password Day: Is the Password Still Fit For Purpose?

Web apps vulnerable

“Searching the IIS access logs for entries like these is a good idea even if you don’t explicitly know whether you use Telerik UI, as some web applications require the suite as a dependency behind the scenes,” Red Canary said in an advisory.

The Blue Mockingbird attacks all have in common that they use the Telerik CVE-2019-18935 vulnerability as a point of entry, the firm said.

The attackers then primarily install the XMRIG tool for mining Monero cryptocurrency. In this case, XMRIG is packaged as two DLL files.

The attackers also use several techniques for ensuring their code remains on the system even in the event of a reboot, Red Canary said.

One common method is to hijack the COM_PROFILER Windows component to execute a malicious DLL and restore items removed by security systems.

In some cases the attackers seem to be using an exploit called JuicyPotato to obtain the privileges required to set up the persistence methods they are using.


In addition, the attackers are moving across local networks to infect further systems, Red Canary said.

“As with other adversaries that mine cryptocurrency opportunistically, Blue Mockingbird likes to move laterally and distribute mining payloads across an enterprise,” researchers said.

In some cases, Scheduled Tasks are created remotely to ensure the execution of the attackers’ malicious code.

Red Canary said it had observed about 1,000 infections across the organisations it monitors, meaning that there are potentially thousands more infections at other companies.

The firm said companies should focus on keeping their web servers, web applications and application dependencies up to date to block the Telerik UI vulnerability and other flaws that might be used by attackers.

Red Canary said organisations may also consider establishing a baseline of Windows Scheduled Tasks to make it easier to detect malicious Tasks.

Supercomputers across Europe were recently shut down after a campaign targeted them to install Monero-mining software via hacked logins.