← threatfilter.dev / all groups / Blue Mockingbird
Blue Mockingbird
Overview
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 22 techniques across 12 tactics
Resource Development
-
T1588.002Tool
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1569.002Service Execution
Persistence
-
T1543.003Windows Service
Privilege Escalation
Stealth
-
T1027.013Encrypted/Encoded File -
T1036.005Match Legitimate Resource Name or Location -
T1134Access Token Manipulation -
T1218.010Regsvr32 -
T1218.011Rundll32 -
T1574.012COR_PROFILER
Defense Impairment
-
T1112Modify Registry
Credential Access
-
T1003.001LSASS Memory
Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.002SMB/Windows Admin Shares
Command and Control
-
T1090Proxy
Impact
-
T1496.001Compute Hijacking
Tools & malware (2)
FRP · Mimikatz
Reporting (1)
- Introducing Blue Mockingbird — Lambert, T