An unknown threat actor exploits CVE-2019-18935 in Telerik UI for ASP.NET AJAX to seize control of Windows servers, drop a Cobalt Strike beacon, and stage further malware via PowerShell commands. Sophos MTR links these campaigns to earlier Blue Mockingbird activity and Netwalker activity, underscoring that old flaws remain valuable and attackers frequently refine established chains. #CVE-2019-18935 #TelerikUI #CobaltStrike #XMRigMiner #BlueMockingbird #Netwalker #PowerShell
Keypoints
- The vulnerability CVE-2019-18935 in Telerik UI is exploited to deliver a Cobalt Strike beacon to disk on vulnerable Windows servers.
- Attackers run Base64-encoded PowerShell commands to download and execute additional malware from the C2 server.
- The initial payload often lands in C:WindowsTemp with a timestamped filename, enabling detection of exploitation time.
- XMRig Miner (crby26td.exe) and a JSON config (a.json) are downloaded and used for cryptomining on compromised hosts.
- Persistence and lateral movement are achieved via Group Policy Objects (GPOs) and scheduled tasks, with encoded data written to the registry.
- WMI with an ActiveScriptEvent consumer (WindowsUpdate) is used to download and execute malware from the C2 server.
- There are historical links to Blue Mockingbird, but observed infections differ in payload order and techniques; CVE-2019-18935 remains active in the wild.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The threat actor exploited the vulnerability (designated CVE-2019-18935) to deliver a Cobalt Strike beacon (in the form of a DLL payload) to disk. “The attackers exploited the vulnerability (designated CVE-2019-18935) to deliver a Cobalt Strike beacon (in the form of a DLL payload) to disk.”
- [T1059.001] PowerShell – The attackers then ran a Base64-encoded PowerShell command, to download and run additional malware from the C2 server. “Following execution of the Cobalt Strike payload, the attackers then ran a Base64-encoded PowerShell command…”
- [T1105] Ingress Tool Transfer – The PowerShell command downloads additional malware from the C2 server. “to download and run additional malware from the C2 server.”
- [T1053.005] Scheduled Task – A GPO created scheduled tasks with unique names, running across workstations and encoding data in the registry. “scheduled tasks with unique names, which ran only once, across workstations…”
- [T1047] Windows Management Instrumentation – WMI ActiveScriptEvent consumer named WindowsUpdate downloads and executes malware from the C2 server. “Windows Management Instrumentation (WMI) ActiveScriptEvent consumer named WindowsUpdate, to download and execute malware from the C2 server.”
- [T1574.001] Hijack Execution Flow: COM hijacking – Blue Mockingbird historically used COR_PROFILER COM hijack for persistence. “COR_PROFILER COM hijack for persistence…”
- [T1027] Obfuscated/Compressed Files and Information – The data is encoded and obfuscated (gunzip and XOR) during the PowerShell load. “encoded with gunzip and XOR”
- [T1055] Process Injection – The malicious DLL executes in the context of the w3wp.exe process. “executed in the context of the w3wp.exe process”
- [T1496] Resource Hijacking – XMRig Miner is used to mine Monero on the compromised host. “XMRig Miner, a legitimate open-source cryptocurrency miner designed to mine for Monero”
- [T1059.003] Windows Command Shell – The setup uses cmd.exe for self-injection. “spawns cmd.exe for self-injection”
Indicators of Compromise
- [File] crby26td.exe – XMRig Miner payload dropped in C:WindowsTemp; context: miner payload as part of the download chain – crby26td.exe, and 2 more hashes
- [File] a.json – JSON config containing mining configuration for XMRig Miner – used by the miner
- [File] setup192.exe – downloader component detected by Sophos as Troj/Miner-AED
- [File] tuh25o6n.exe – downloader component detected as Troj/DwnLd-ADF
- [Process] w3wp.exe – hosting process for the in-memory Cobalt Strike DLL execution
- [Registry] HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTasks{unique_task_name} – encoded data written by scheduled task execution
- [Directory] C:WindowsTemp – drop location for DLL payloads
- [URL] hxxp://212.192.241[.]155:8000/a – remote PowerShell script download URL
- [URL] hxxp://212.192.241[.]155/up/setup.exe – additional binary download URL
- [IP] 212.192.241.155 – C2-related host used by the attacker
- [IP] 212.192.241.155:8000 – C2 download/support URL for a payload