New crypto mining worm linked to global campaign


Tangerine Turkey is a visual basic script (VBS) worm that spreads via USB drives and deploys crypto mining malware to generate cryptocurrency for attackers.

The worm uses a technique called DLL hijacking, manipulating the legitimate printui.exe file to deliver its payload, according to experts at Red Canary, a cybersecurity firm.

Red Canary observed Tangerine Turkey in November last year – hence, the name – and noted it was an ongoing threat that may be connected to the worldwide Universal Mining operation.

ADVERTISEMENT

The widespread crypto mining campaign was first detailed by Azerbaijan’s CERT in October. It uses VBS worms and has reportedly infected over 270,000 systems across 135 countries.

Despite its widespread nature, the campaign was “relatively under-reported,” Red Canary’s Stef Rand said in a blog post, adding that it was “still going strong, possibly with new malware variants.”

Linas Kmieliauskas jurgita Adam Kohne emmaw
Be the first to know and get our latest stories on Google News

Tangerine Turkey was found to use XMRig and Zephyr Miner as their mining software, both designed to extract cryptocurrency covertly. Zephyr Miner targets Zephyr, a stablecoin created in 2023. cms

The malware is delivered via USB drives, executing malicious files to install and manipulate system binaries. Key indicators of compromise include relocated printui.exe files and the presence of unusual folders or scripts on infected systems.

Security experts advise monitoring unusual file locations, particularly printui.exe outside its default directory, which could be a giveaway of suspicious activity.

ADVERTISEMENT