Cybercriminals are using a deserialization vulnerability, CVE-2019-18935, to achieve remote code execution. The vulnerability lies specifically in the RadAsyncUpload function in the Progress Telerik UI front-end offering for ASP.NET AJAX. The activity appears to stretch back to December, according to the analysis, and continued through April at least. The attackers are deploying the XMRig Monero-mining payload in dynamic-link library (DLL) form on Windows systems, then executing it and establishing persistence using multiple techniques. The infection propagates laterally through the network.
Source: https://threatpost.com/blue-mockingbird-monero-mining/155581/