Blue Mockingbird
Aliases: None listed
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.
Open interactive actor investigation
ATT&CK techniques
T1059.001
PowerShellT1574.012
COR_PROFILERT1546.003
Windows Management Instrumentation Event SubscriptionT1082
System Information DiscoveryT1543.003
Windows ServiceT1053.005
Scheduled TaskT1090
ProxyT1047
Windows Management InstrumentationT1059.003
Windows Command ShellT1003.001
LSASS MemoryT1218.011
Rundll32T1134
Access Token ManipulationT1496.001
Compute HijackingT1027.013
Encrypted/Encoded FileT1112
Modify RegistryT1569.002
Service ExecutionT1190
Exploit Public-Facing ApplicationT1021.001
Remote Desktop ProtocolT1218.010
Regsvr32T1021.002
SMB/Windows Admin SharesT1036.005
Match Legitimate Name or LocationT1588.002
Tool
PowerShellT1574.012
COR_PROFILERT1546.003
Windows Management Instrumentation Event SubscriptionT1082
System Information DiscoveryT1543.003
Windows ServiceT1053.005
Scheduled TaskT1090
ProxyT1047
Windows Management InstrumentationT1059.003
Windows Command ShellT1003.001
LSASS MemoryT1218.011
Rundll32T1134
Access Token ManipulationT1496.001
Compute HijackingT1027.013
Encrypted/Encoded FileT1112
Modify RegistryT1569.002
Service ExecutionT1190
Exploit Public-Facing ApplicationT1021.001
Remote Desktop ProtocolT1218.010
Regsvr32T1021.002
SMB/Windows Admin SharesT1036.005
Match Legitimate Name or LocationT1588.002
Tool