Digital Forensics: Card-reading contact lenses, X-ray poker tables, trays of poker chips that read cards, hacked shuffling machines that predict hands. The technology alleged to have been used to execute a multistate, rigged poker operation sounds like it’s straight out of Hollywood. And those were only some of the gadgets [...]
A multi-stage USB cryptomining attack uses DLL hijacking and PowerShell to install hidden miners on your computer.
The most targeted industries include financial, healthcare, education, and telecom sectors.
EDR tools, strict USB usage policies, and regular employee awareness training are effective in mitigating such USB-based attacks.
A multi-stage USB cryptomining attack is currently underway. If successful, it can allow cybercriminals to use your system to mine cryptocurrency without your knowledge.
According to CyberProof’s findings, an infected USB device could lead to a backdoor infection and allow cryptomining through a multi-stage attack.
The cybersecurity firm confirmed that organizations managed to block the attack in its final stages using endpoint detection and response (EDR) tools. We will break down the full story below for a clear understanding.
🚨 Threat Advisory: CyberProof Managed Detection & Response (MDR) analysts detected an infected USB device that triggered a multi-stage attack chain, leveraging DLL search hijacking and PowerShell to bypass defenses. If left unchecked, it could lead to a backdoor infection and… pic.twitter.com/hK882nSD5z
The CyberProof research team found that the USB malware attack is not new. It’s linked to an early-reported crypto miner – theorized to be either Zephyr or XMRig.
In fact, they found that the tactics, techniques, and procedures (TTPs) used in the attack are similar to those of other cryptominer campaigns dating back to October 2024.
Tangerine Turkey – The Preceding Cryptominer
One of these cryptominers, Tangerine Turkey, was a notorious worm running on Visual Basic Script that made #8 on Red Canary’s top 10 worldwide threats in 2024. Just like the one discovered now, Tangerine Turkey used a DLL hijack to deliver the cryptomining payload to infected devices.
The attack is triggered by an infected USB carrying a malicious VBScript. When the script is executed, it triggers a chain of processes, eventually downloading a malicious cryptominer on the user’s system.
A malicious cryptominer—also known as a cryptojacker—is malware that secretly hijacks a victim’s computer resources, such as CPU, GPU, and electricity, to mine cryptocurrency on behalf of an attacker.
The complete process involves multiple steps, from the initial USB infection to the script execution, batch file activation, and eventually the cryptominer download.
Here’s a more detailed breakdown of how this USB cryptomining attack works, from its initial stage until successful infiltration and cryptominer installation.
Step 1: USB Infection BeginsStep 2: Command Chain ActivationStep 3: File Copying and Directory CreationStep 4: DLL Hijacking Setup
A user plugs in an infected USB drive and unknowingly runs a VBScript file (named like x123456.vbs) stored in the USB’s rootdir folder. This script executes through Windows Script Host (wscript.exe).
Windows Script Host (wscript.exe) is a Windows tool that runs script files such as VBScript (.vbs) or JScript (.js) directly on the system.
The VBScript then launches a batch file with a similar name (e.g., x123456.bat) using Command Prompt (cmd.exe) as a child process. This begins the automated file manipulation stage.
A batch file (.bat) is a simple text file containing a list of commands that Windows runs one after another through Command Prompt.
The batch file uses xcopy.exe (a Windows command-line tool for copying files and folders) to perform two key actions:
It copies the legitimate printui.exe from C:WindowsSystem32 into a newly created fake directory C:Windows System32 (note the extra space).
It places a malicious .dat file inside this fake directory.
The .dat file is renamed to printui.dll in the fake directory. When the copied printui.exe runs from this location, Windows loads the malicious printui.dll instead of the legitimate one from the real System32 folder. This happens because of DLL search order rules.
When a program runs and needs a DLL (Dynamic-Link Library), Windows follows a specific order to locate it. By default, the first place it checks is the folder where the program’s EXE is located.
The malicious printui.dll contains code designed to download a cryptominer.
If you find the above explanation too technical, here’s a simple analogy to help you understand the attack chain.
Imagine you keep your medicine in a cabinet. One day, someone sneaks in and places a fake bottle that looks just like your real medicine. When you reach for it, you grab the fake one first, because it’s right there in your cabinet.
And just like the fake medicine bottle, Windows runs the hacker’s fake file first because it’s sitting right where Windows expects the real one to be.
CyberProof tracked and analyzed indicators of compromise (IOCs), which are red flags that help detect cyberattacks, to assess the prevalence of the USB cryptomining attack.
The team drew the geographical distribution of the attack, and some of the affected countries include the US, Australia, and Italy.
Source: CyberProof
According to CyberProof research, this USB cryptomining attack was most prevalent in the following sectors:
Financial institutions
Educational institutes
Healthcare industry
Manufacturing sector
Telecom industry
Oil and gas
Although attackers and cybercriminals rarely discriminate, employees working in the above industries should be particularly alert to potential threats.
Digital Forensics: How to Stay Safe from USB Cryptomining Attacks
While USB-based cryptomining attacks are particularly insidious, they’re not impossible to protect against. For one, you should avoid plugging in foreign USBs into your computer—you never know if they’re infected.
Here are some more tips to protect from USB malware attacks.
1. Disable Autorun/Autoplay
Disabling autorun/autoplay prevents the automatic execution of programs on a USB device when you plug it in. While it’s easy to disable autorun/autoplay on a Windows PC, the latest macOS doesn’t have an autorun mechanism by default.
For Windows, go to Settings – Bluetooth – AutoPlay, and set everything to ‘Ask me every time.’
You can also use Group Policy settings to disable autorun/autoplay organization-wide.
2. Improve Endpoint Security
Endpoints are devices like computers, laptops, and smartphones connected to your network.
Implementing endpoint detection and response (EDR) solutions to harden endpoint security can help prevent USB cryptomining attacks. EDR tools can detect and block obfuscated malicious scripts and monitor endpoints for anomalies.
If you don’t work in a professional setting, you can consider installing a reputable antivirus program on your system. It will not only scan your USB drive for malicious scripts but will also likely have features that block cryptomining attacks.
3. Enhance Physical Security
Implementing strong physical security for USB ports prevents unauthorized access and protects against cryptomining as well as dangerous USB-based threats like USB kill attacks.
Ensure that the USB ports in your organization are accessible only to those who genuinely need them.
You should also make a policy to use write-protected USB drives only. These USB drives are read-only, meaning no one can delete, edit, or add data to them.
4. Train Your Employees
Training your employees in safe USB practices goes a long way toward protecting against USB-based attacks.
Make USB policies that:
Forbid the use of personal USB drives in the workplace and control BYOD
Educate employees on recognizing USB threats, such as USB drop attacks
Define a straightforward process for incident reporting
If a USB drive of unknown origin must be used, it should only be connected to an air-gapped system (a computer device not connected to your network or the internet).
Digital Forensics: USB Devices Remain a Security Risk
USBs are a popular attack vector because USB-based attacks are easy to carry out.
A threat actor only needs to drop infected USB devices in common areas like your parking lot, reception, or restrooms. A curious employee may plug in a found USB just to see what’s on it.
If you don’t have proper USB security in place, the attacker instantly gains an entry point.
When 51% of malware attacks are designed for USBs, it is imperative that you take USB device security seriously.
To defend against USB-based attacks, you need to adopt a multi-layered approach. This includes installing reputable EDR solutions, enforcing strict USB policies, training employees, and strengthening the physical security of USB ports.
Sandeep Babu is a cybersecurity writer with over four years of hands-on experience. He has reviewed password managers, VPNs, cloud storage services, antivirus software, and other security tools that people use every day. Read more
He follows a strict testing process—installing each tool on his system and using it extensively for at least seven days before writing about it. His reviews are always based on real-world testing, not assumptions.
He holds an MA in English Literature from Jamia Millia Islamia, New Delhi. He has also earned industry-recognized credentials like the Google Cybersecurity Professional Certificate and ISC2’s Certified in Cybersecurity.
When he’s not writing, he’s usually testing security tools or rewatching comedy shows like Cheers, Seinfeld, Still Game, or The Big Bang Theory. Read less
View all articles by Sandeep Babu
The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.
Digital Forensics: And follow our conference liveblog Live Image credit: Gamescom Gamescom 2025 begins today, Tuesday August 19th, with Opening Night Live – the annual livestream showcase of trailers, teasers ...
Digital Forensics: Card-reading contact lenses, X-ray poker tables, trays of poker chips that read cards, hacked shuffling machines that predict hands. The technology alleged to have been used to execute [...]
Post comments (0)