← threatfilter.dev / all groups / Blue Mockingbird

Blue Mockingbird

Overview

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.

Capabilities

Exploitation of public-facing / client applications — ATT&CK T1190

TTPs — 22 techniques across 12 tactics

Resource Development

T1588.002 Tool

Command and Control

T1090 Proxy

Impact

T1496.001 Compute Hijacking

Tools & malware (2)

FRP · Mimikatz

Reporting (1)

Introducing Blue Mockingbird — Lambert, T

Overview

Capabilities

TTPs — 22 techniques across 12 tactics

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Stealth

Defense Impairment

Credential Access

Discovery

Lateral Movement

Command and Control

Impact

Tools & malware (2)

Reporting (1)