Tangerine Turkey Exploits VBS and BAT Scripts in Cryptomining Scheme

Tangerine Turkey, a visual basic script (VBS) worm, was identified by Red Canary and used to facilitate cryptomining efforts, first observed in November 2024. The worm primarily spreads through USB drives and employs a “printui” dynamic link library (DLL) hijack to deliver cryptomining malware. In December 2024, Tangerine Turkey gained prominence by ranking 8th amongst notable threats, including  DarkGate, Mimikatz, and PlugX, based on Red Canary's tracking. Red Canary's observations indicate a potential overlap between Tangerine Turkey and previously identified campaigns like Zephyr Miner.

The attack chain begins with the execution of a VBS file using 'wscript.exe' from a USB drive, which subsequently initiates a batch (BAT) script, resulting in 'wscript.exe' spawning a 'cmd.exe' process to execute the BAT script. Malicious activity to follow uses masquerading to create a rogue directory mimicking the legitimate Windows system folder, 'C:\Windows \System32,' where the directory disguise is achieved through an extra trailing space. The attacker then utilizes the "xcopy" command to copy the legitimate “printui.exe” binary from the legitimate "C:\Windows\System32" directory into the newly created malicious directory. Within this directory, additional files, including malicious “printui.dll” and DAT files, are placed for DLL side-loading, enabling the cryptomining payload to execute undetected.

Red Canary's analysis suggests potential links between Tangerine Turkey and the Universal Mining operation reported by Azerbaijan’s CERT in October 2024. Both campaigns exhibit similarities, such as USB-based propagation and VBS execution. The Universal Mining operation infected over 270,000 computers in 135 countries and utilized a PostgreSQL client library to connect to remote servers and configure cryptominers. Notably, Red Canary's research uncovered XMRig rules triggered during malware analysis, indicating that Tangerine Turkey's payload often involves XMRig cryptomining software. Further analysis is required to connect Tangerine Turkey definitively to Zephyr Miner or Universal Mining.