This post is also available in:
עברית (Hebrew)
A new and persistent cybersecurity threat, named Tangerine Turkey, has been identified as a major player in a widespread global crypto mining campaign. This Visual Basic Script (VBS) worm is capable of spreading through USB drives and covertly deploying mining malware to secretly generate cryptocurrency for cybercriminals.
Tangerine Turkey operates by exploiting a technique called DLL hijacking. It manipulates the legitimate printui.exe file, often used by Windows systems, to deliver its payload. This method was uncovered by the cybersecurity firm Red Canary, who first detected the worm in November 2024. According to Red Canary’s analysis, the malware is part of a broader operation known as Universal Mining, a large-scale crypto mining effort that has already affected over 270,000 devices across 135 countries.
The malware deployed by Tangerine Turkey uses mining software such as XMRig and Zephyr Miner. XMRig is typically used for mining Monero, a popular privacy-focused cryptocurrency, while Zephyr Miner specifically targets Zephyr, a different type of coin. These tools run quietly in the background of compromised systems, harvesting processing power to mine cryptocurrency for the attackers without the user’s awareness.
The worm spreads by infecting USB drives, executing malicious scripts that manipulate system files. Experts recommend paying close attention to indicators of an infection, which include relocation of the printui.exe file and the appearance of unexpected folders and scripts.
The scale of the Universal Mining campaign, first reported by Azerbaijan’s CERT in October 2024, has flown largely under the radar, despite its reach and impact, Stef Rand, a cybersecurity expert at Red Canary, explained that the malware is still active and could be evolving with new variants. The ongoing operation continues to exploit VBS worms like Tangerine Turkey to gain access to systems for mining purposes.
As the Tangerine Turkey worm continues to affect systems globally, experts stress the importance of vigilance and regular security checks to detect and mitigate its impact. The worm’s ability to stay under the radar while generating cryptocurrency for its operators makes it a significant and ongoing threat to cybersecurity worldwide.
