USB Malware Campaign Spreads Cryptominer Worldwide
Summary:
CyberProof MDR analysts investigated a cryptomining incident that originated from an infected USB device, uncovering a multi-stage attack sequence designed to establish persistence and deliver a miner payload. The attack combined DLL sideloading with PowerShell to bypass endpoint defenses, and further analysis linked the malware to the well-known XMRig/Zephyr cryptomining kill chain. Fortunately, the organization’s endpoint detection solution blocked the miner during the final stages, preventing full execution. The initial compromise began when a malicious script stored on the USB was executed, setting off a chain of system process launches. These processes were used to copy and disguise files within protected system directories, sometimes creating misleading folder paths with subtle alterations (for example, an added space in a Windows directory) to evade detection. A decoy binary in these directories was later used to load a rogue DLL, which contained code to download and execute the cryptominer. This sideloading technique allowed the attackers to piggyback on trusted processes while hiding their malicious components in plain sight.
Security Officer Comments:
Intelligence gathering revealed the activity has been observed worldwide, with cases reported across North America, Europe, Asia, and Africa. Impacted countries included the United States, Egypt, India, Kenya, Indonesia, Thailand, Vietnam, Malaysia, and Australia. The campaign has primarily affected organizations in critical industries such as finance, education, healthcare, manufacturing, telecom, and oil & gas. These findings tie back to Azerbaijan’s CERT disclosure in October 2024 about the “Universal Mining” scheme, which described large-scale, international cryptomining activity using similar infection vectors.
Suggested Corrections:
Key Recommendations to Protect Your Network
https://www.infosecurity-magazine.com/news/usb-malware-spreads-cryptominer/
CyberProof MDR analysts investigated a cryptomining incident that originated from an infected USB device, uncovering a multi-stage attack sequence designed to establish persistence and deliver a miner payload. The attack combined DLL sideloading with PowerShell to bypass endpoint defenses, and further analysis linked the malware to the well-known XMRig/Zephyr cryptomining kill chain. Fortunately, the organization’s endpoint detection solution blocked the miner during the final stages, preventing full execution. The initial compromise began when a malicious script stored on the USB was executed, setting off a chain of system process launches. These processes were used to copy and disguise files within protected system directories, sometimes creating misleading folder paths with subtle alterations (for example, an added space in a Windows directory) to evade detection. A decoy binary in these directories was later used to load a rogue DLL, which contained code to download and execute the cryptominer. This sideloading technique allowed the attackers to piggyback on trusted processes while hiding their malicious components in plain sight.
Security Officer Comments:
Intelligence gathering revealed the activity has been observed worldwide, with cases reported across North America, Europe, Asia, and Africa. Impacted countries included the United States, Egypt, India, Kenya, Indonesia, Thailand, Vietnam, Malaysia, and Australia. The campaign has primarily affected organizations in critical industries such as finance, education, healthcare, manufacturing, telecom, and oil & gas. These findings tie back to Azerbaijan’s CERT disclosure in October 2024 about the “Universal Mining” scheme, which described large-scale, international cryptomining activity using similar infection vectors.
Suggested Corrections:
Key Recommendations to Protect Your Network
- Disable Autorun and Autoplay: The most critical first step is to prevent drives from automatically running executable code when they are connected. You can enforce this across your network using Group Policy or by adjusting registry settings.
- Implement Device Control: Go beyond disabling autorun. Block the use of untrusted or unsigned processes that attempt to run from USB devices. This can prevent malicious scripts and executables from ever launching.
- Harden Endpoint Security: Implement robust endpoint detection and response (EDR) solutions that can block potentially obfuscated scripts and monitor for anomalous behavior. Configure your security policies to block executable files from running unless they meet specific criteria, such as being on a trusted list.
- Protect Critical System Processes: Use security controls to block malicious attempts to steal credentials from the Windows Local Security Authority Subsystem (lsass.exe), a common target for attackers looking to escalate privileges.
- Enforce Physical Security: Don’t forget about the physical world. Use physical security measures to prevent unauthorized USB devices from being connected to critical systems. For example, using write-protected USB drives and locking ports can be highly effective.
https://www.infosecurity-magazine.com/news/usb-malware-spreads-cryptominer/