Plug In, Get Hacked: A USB Cryptomining Attack Exposed

by
Sandeep Babu
from Techreport on (#6ZF8E)
usb-cryptomining-attack-exposed--1200x799.pngAD_4nXcIqKRDdy110s0A9gdm7q1veXygkjoq461qmenQhclsFTEwiMvKYdxL2p3eia8jv3bvehqE-6nYkvSM4wlkDAiPbKkcg_-w9Lifd6ud508kz0CHkAc-lGjqos3_J00j7muhZ6zxmg?key=Y6-MsIp7v2cqjxY-25ACvg

Key takeaways:

  • A multi-stage USB cryptomining attack uses DLL hijacking and PowerShell to install hidden miners on your computer.
  • The most targeted industries include financial, healthcare, education, and telecom sectors.
  • EDR tools, strict USB usage policies, and regular employee awareness training are effective in mitigating such USB-based attacks.

A multi-stage USB cryptomining attack is currently underway. If successful, it can allow cybercriminals to use your system to mine cryptocurrency without your knowledge.

According to CyberProof's findings, an infected USB device could lead to a backdoor infection and allow cryptomining through a multi-stage attack.

The attack leveraged dynamic-link library (DLL) search order hijacking and PowerShell to bypass security controls.

The cybersecurity firm confirmed that organizations managed to block the attack in its final stages using endpoint detection and response (EDR) tools. We will break down the full story below for a clear understanding.

Threat Advisory: CyberProof Managed Detection & Response (MDR) analysts detected an infected USB device that triggered a multi-stage attack chain, leveraging DLL search hijacking and PowerShell to bypass defenses. If left unchecked, it could lead to a backdoor infection and... pic.twitter.com/hK882nSD5z

- CyberProof (@cyberproofinc) August 18, 2025

Ongoing, but Not a New Threat

The CyberProof research team found that the USB malware attack is not new. It's linked to an early-reported crypto miner - theorized to be either Zephyr or XMRig.

In fact, they found that the tactics, techniques, and procedures (TTPs) used in the attack are similar to those of other cryptominer campaigns dating back to October 2024.

Tangerine Turkey - The Preceding Cryptominer One of these cryptominers, Tangerine Turkey, was a notorious worm running on Visual Basic Script that made #8 on Red Canary's top 10 worldwide threats in 2024. Just like the one discovered now, Tangerine Turkey used a DLL hijack to deliver the cryptomining payload to infected devices.

The attack is triggered by an infected USB carrying a malicious VBScript. When the script is executed, it triggers a chain of processes, eventually downloading a malicious cryptominer on the user's system.

A malicious cryptominer-also known as a cryptojacker-is malware that secretly hijacks a victim's computer resources, such as CPU, GPU, and electricity, to mine cryptocurrency on behalf of an attacker.

The complete process involves multiple steps, from the initial USB infection to the script execution, batch file activation, and eventually the cryptominer download.

AD_4nXe2hsYTozvreWiIFXRAmw-LldDxHIlzBaycGrsil8VGzWRE9IMc5_yYAz2xVcG6YwAAo-NosHTWGy4K04DXZz18lqmgDVIKZhoiZU7tjR2C8kVvbEZH2neJRyPNY4whu7Df2wujdg?key=Y6-MsIp7v2cqjxY-25ACvg

Here's a more detailed breakdown of how this USB cryptomining attack works, from its initial stage until successful infiltration and cryptominer installation.

Step 1: USB Infection BeginsStep 2: Command Chain ActivationStep 3: File Copying and Directory CreationStep 4: DLL Hijacking Setup

A user plugs in an infected USB drive and unknowingly runs a VBScript file (named like x123456.vbs) stored in the USB's rootdir folder. This script executes through Windows Script Host (wscript.exe).

Windows Script Host (wscript.exe) is a Windows tool that runs script files such as VBScript (.vbs) or JScript (.js) directly on the system.

The VBScript then launches a batch file with a similar name (e.g., x123456.bat) using Command Prompt (cmd.exe) as a child process. This begins the automated file manipulation stage.

A batch file (.bat) is a simple text file containing a list of commands that Windows runs one after another through Command Prompt.

The batch file uses xcopy.exe (a Windows command-line tool for copying files and folders) to perform two key actions:

  • It copies the legitimate printui.exe from C:\Windows\System32 into a newly created fake directory C:\Windows \System32 (note the extra space).

  • It places a malicious .dat file inside this fake directory.

The .dat file is renamed to printui.dll in the fake directory. When the copied printui.exe runs from this location, Windows loads the malicious printui.dll instead of the legitimate one from the real System32 folder. This happens because of DLL search order rules.

When a program runs and needs a DLL (Dynamic-Link Library), Windows follows a specific order to locate it. By default, the first place it checks is the folder where the program's EXE is located.

The malicious printui.dll contains code designed to download a cryptominer.

If you find the above explanation too technical, here's a simple analogy to help you understand the attack chain.

Imagine you keep your medicine in a cabinet. One day, someone sneaks in and places a fake bottle that looks just like your real medicine. When you reach for it, you grab the fake one first, because it's right there in your cabinet.

And just like the fake medicine bottle, Windows runs the hacker's fake file first because it's sitting right where Windows expects the real one to be.

CyberProof tracked and analyzed indicators of compromise (IOCs), which are red flags that help detect cyberattacks, to assess the prevalence of the USB cryptomining attack.

The team drew the geographical distribution of the attack, and some of the affected countries include the US, Australia, and Italy.

AD_4nXfA75YJF6I8jSYOYwvBuyndKOdj209QXTgIKybmqXOwKnITgi9fl6CI-T93CHQ7vVUXkY62tDle-_qmPO-LXYzacyDLZWQ3uEA_aelfO3BcqwKEW_G88XnO432ukM8pg1r0ysB0Pg?key=Y6-MsIp7v2cqjxY-25ACvgSource: CyberProof

According to CyberProof research, this USB cryptomining attack was most prevalent in the following sectors:

  • Financial institutions
  • Educational institutes
  • Healthcare industry
  • Manufacturing sector
  • Telecom industry
  • Oil and gas

Although attackers and cybercriminals rarely discriminate, employees working in the above industries should be particularly alert to potential threats.

How to Stay Safe from USB Cryptomining Attacks

While USB-based cryptomining attacks are particularly insidious, they're not impossible to protect against. For one, you should avoid plugging in foreign USBs into your computer-you never know if they're infected.

Here are some more tips to protect from USB malware attacks.

1. Disable Autorun/Autoplay

Disabling autorun/autoplay prevents the automatic execution of programs on a USB device when you plug it in. While it's easy to disable autorun/autoplay on a Windows PC, the latest macOS doesn't have an autorun mechanism by default.

For Windows, go to Settings - Bluetooth - AutoPlay, and set everything to Ask me every time.'

AD_4nXdymZggW1AXYL_7J33pE-dLN3WaP-AK1dr3qZDAKRRqJVQGcZnlEFUzoqmZdfKTSpom3o47DpKpIaf9ayqoraz2nSiW2VnejO7b77lU7pUXaLxTG0we73dm-WnUu838oukTQrSjmA?key=Y6-MsIp7v2cqjxY-25ACvg

You can also use Group Policy settings to disable autorun/autoplay organization-wide.

2. Improve Endpoint Security

Endpoints are devices like computers, laptops, and smartphones connected to your network.

Implementing endpoint detection and response (EDR) solutions to harden endpoint security can help prevent USB cryptomining attacks. EDR tools can detect and block obfuscated malicious scripts and monitor endpoints for anomalies.

If you don't work in a professional setting, you can consider installing a reputable antivirus program on your system. It will not only scan your USB drive for malicious scripts but will also likely have features that block cryptomining attacks.

AD_4nXcxDZGjkb2rE9QuZ7YB6_bidA6vBYTVwvi1vgcJfjONDXYv1EkbINtUiN9ZjkiI8K0cafWksekFd0p_fNHqYBApAIhh8qwjUQGFB1daZ5mZL0HO2PDTPBwV9j8rDh4ARQ8QwV5r?key=Y6-MsIp7v2cqjxY-25ACvg3. Enhance Physical Security

Implementing strong physical security for USB ports prevents unauthorized access and protects against cryptomining as well as dangerous USB-based threats like USB kill attacks.

Ensure that the USB ports in your organization are accessible only to those who genuinely need them.

You should also make a policy to use write-protected USB drives only. These USB drives are read-only, meaning no one can delete, edit, or add data to them.

4. Train Your Employees

Training your employees in safe USB practices goes a long way toward protecting against USB-based attacks.

Make USB policies that:

  • Forbid the use of personal USB drives in the workplace and control BYOD
  • Educate employees on recognizing USB threats, such as USB drop attacks
  • Define a straightforward process for incident reporting

If a USB drive of unknown origin must be used, it should only be connected to an air-gapped system (a computer device not connected to your network or the internet).

USB Devices Remain a Security Risk

USBs are a popular attack vector because USB-based attacks are easy to carry out.

A threat actor only needs to drop infected USB devices in common areas like your parking lot, reception, or restrooms. A curious employee may plug in a found USB just to see what's on it.

If you don't have proper USB security in place, the attacker instantly gains an entry point.

When 51% of malware attacks are designed for USBs, it is imperative that you take USB device security seriously.

To defend against USB-based attacks, you need to adopt a multi-layered approach. This includes installing reputable EDR solutions, enforcing strict USB policies, training employees, and strengthening the physical security of USB ports.

The post Plug In, Get Hacked: A USB Cryptomining Attack Exposed appeared first on Techreport.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments