Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Blue Mockingbird
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Blue Mockingbird
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)
ID: G0108
Associated Groups: 
Version: 1.3
Created: 26 May 2020
Last Modified: 10 Jul 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.(Citation: RedCanary Mockingbird May 2020)
.003 Command and Scripting Interpreter: Windows Command Shell

Blue Mockingbird has used batch script files to automate execution and deployment of payloads.(Citation: RedCanary Mockingbird May 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1574 .012 Hijack Execution Flow: COR_PROFILER

Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Blue Mockingbird has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1588 .002 Obtain Capabilities: Tool

Blue Mockingbird has obtained and used tools such as Mimikatz.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.(Citation: RedCanary Mockingbird May 2020)
.002 Remote Services: SMB/Windows Admin Shares

Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.(Citation: RedCanary Mockingbird May 2020)

Enterprise T1496 .001 Resource Hijacking: Compute Hijacking

Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.(Citation: RedCanary Mockingbird May 2020)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.(Citation: RedCanary Mockingbird May 2020)

.011 System Binary Proxy Execution: Rundll32

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.(Citation: RedCanary Mockingbird May 2020)

Enterprise T1569 .002 System Services: Service Execution

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.(Citation: RedCanary Mockingbird May 2020)

Software
ID Name References Techniques
S1144 FRP (Citation: DFIR Phosphorus November 2021) (Citation: FRP GitHub) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) (Citation: RedCanary Mockingbird May 2020) JavaScript, Symmetric Cryptography, Protocol Tunneling, Proxy, System Network Connections Discovery, Multi-hop Proxy, Asymmetric Cryptography, Non-Application Layer Protocol, Web Protocols, Network Service Discovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: RedCanary Mockingbird May 2020) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync

References

  1. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.