Threat Actors Deploying CoinMiner Malware Via USB Drives Infecting Workstations

Cybercriminals are actively spreading CoinMiner malware through USB drives, targeting workstations across South Korea to mine Monero cryptocurrency.

This ongoing campaign uses deceptive shortcut files and hidden folders to trick users into executing malicious scripts without their knowledge.

The attack leverages a combination of VBS, BAT, and DLL files that work together to install XMRig, a popular cryptocurrency mining tool, on infected systems.

The malware hides within a folder named “sysvolume” on infected USB drives, displaying only a shortcut file labeled “USB Drive.lnk” to the user.

When victims double-click this file, it triggers a chain of malicious operations while simultaneously opening a folder containing their original files.

Flowchart (Source - ASEC) — Flowchart (Source – ASEC)

This allows users to access their data normally, making the infection difficult to detect. ASEC security researchers identified this malware strain in their ongoing analysis of USB-based threats.

google

The attackers have refined their techniques since earlier versions documented in February 2025, with Mandiant categorizing these threats as DIRTYBULK and CUTFAIL in their July 2025 report.

The infection begins when users execute the deceptive shortcut file, which runs a VBS script with a randomly generated filename such as “u566387.vbs”.

This script then triggers BAT malware that performs several critical operations, including adding Windows Defender exclusion paths and creating a folder with a space in its name at “C:\Windows \System32\” to evade detection.

Files inside the infected USB (Source - ASEC) — Files inside the infected USB (Source – ASEC)

The BAT script copies and renames the dropper malware as “printui.dll” and loads it through the legitimate “printui.exe” program.

Infection Mechanism and Persistence Tactics

The dropper component establishes persistence by registering a DLL with the DcomLaunch service.

Malware installation scripts (Source - ASEC) — Malware installation scripts (Source – ASEC)

Once registered, the malware designated as PrintMiner adjusts system power settings to prevent sleep mode and communicates with command-and-control servers to download encrypted payloads.

The decrypted files include XMRig configured to mine Monero using the following parameters:-

-o r2.hashpoolpx[.]net:443 --tls --max-cpu-usage=50

The malware monitors running processes and terminates XMRig when users launch games or process monitoring tools like Process Explorer, Task Manager, and System Informer.

Process tree (Source - ASEC) — Process tree (Source – ASEC)

This evasion technique helps the miner avoid detection while reducing performance impacts that might alert users. USB-based attacks remain effective when combined with social engineering.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

googlenews

Source link

Search

Infection Mechanism and Persistence Tactics

Latest Posts