Introduction
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019. RedCanary Mockingbird May 2020
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1059.001 PowerShell
- T1574.012 COR_PROFILER
- T1546.003 Windows Management Instrumentation Event Subscription
- T1082 System Information Discovery
- T1543.003 Windows Service
- T1053.005 Scheduled Task
- T1090 Proxy
- T1047 Windows Management Instrumentation
- T1059.003 Windows Command Shell
- T1003.001 LSASS Memory
- T1218.011 Rundll32
- T1134 Access Token Manipulation
- T1496.001 Compute Hijacking
- T1027.013 Encrypted/Encoded File
- T1112 Modify Registry
- T1569.002 Service Execution
- T1190 Exploit Public-Facing Application
- T1021.001 Remote Desktop Protocol
- T1218.010 Regsvr32
- T1021.002 SMB/Windows Admin Shares
- T1036.005 Match Legitimate Resource Name or Location
- T1588.002 Tool
ATT&CK technique IDs (denormalized)
- T1003.001
- T1021.001
- T1021.002
- T1027.013
- T1036.005
- T1047
- T1053.005
- T1059.001
- T1059.003
- T1082
- T1090
- T1112
- T1134
- T1190
- T1218.010
- T1218.011
- T1496.001
- T1543.003
- T1546.003
- T1569.002
- T1574.012
- T1588.002
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Blue Banana:
- CyberGate:
- Cyber Eye RAT:
- Windows Remote Desktop:
MITRE ATT&CK Software
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [2] RedCanary Mockingbird May 2020 Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.