Attackers Exploit Telerik UI to Deliver Cryptominer and Cobalt Strike

Industry: N/A | Level: Tactical | Source: Sophos

Sophos researchers noticed the reuse of tactics, techniques, and procedures (TTPs) by attackers when exploiting Telerik UI vulnerability CVE-2019-18935 to initially deliver Cobalt Strike and download additional payloads. The attack pattern has been since the vulnerability was disclosed, as shared by Sophos "In the incidents we investigated, the threat actor exploited the vulnerability (designated CVE-2019-18935) to deliver a Cobalt Strike beacon (in the form of a DLL payload) to disk, then used the beacon to execute encoded PowerShell commands, which downloaded more malware, and established persistence on the servers through some novel methods." The observed attack chain commenced with the exploit of the Telerik UI vulnerability and delivering a Cobalt Strike DLL payload that often lands in the C:\Windows\Temp directory. The attacker would run encoded PowerShell commands to download and execute additional malware from the command and control server. Malware would be downloaded on the victim's host includes an executable injecting itself into cmd.exe, the XMRig Miner cryptominer, and a configuration JSON file for cryptomining. Observed in a different environment that was exploited with Telerik UI vulnerability, a similar attack pattern was discovered however, the attacker also established persistence through group policy objects and a scheduled task. The threat actor responsible for the attacker is currently unknown, while there is a correlation with the Blue Mockingbird threat actor having exploited CVE-2019-18935 in May 2020, many of the group's typical TTPs were absent in the observed incidents.

Anvilogic Scenario:

• Cobalt Strike or GPO leads to PowerShell & Cryptomining

Anvilogic Use Cases:

• Cobalt Strike Beacon
• Suspicious File written to Disk
• Modify Registry Key
• Modify Group Policy
• Suspicious Executable by CMD.exe