A new threat actor, dubbed Tangerine Turkey by Red Canary’s intelligence team, is attracting attention thanks to its sophisticated use of a Visual Basic Script (VBScript) worm that delivers a crypto mining payload.
First seen in November last year, Tangerine Turkey’s malicious activity is evolving, and by December 2024, it had cracked Red Canary’s top 10 threat rankings.
The worm, which spreads via USB devices, is part of a much broader and growing crypto-mining campaign that has targeted victims worldwide.
What is Tangerine Turkey?
Tangerine Turkey uses a series of technical steps to execute its payload:
- A VBScript file is executed from a folder named “rootdir” on a USB drive, typically with a filename that starts with “x” followed by six random digits (e.g., WScript.exe “D:\rootdir\x644291.vbs”).
- A BAT file with a similar naming convention is then executed from the same USB, typically via a CMD child process.
- The worm creates a folder under C:\Windows\System32, noting the trailing space after “Windows,” and copies a legitimate printui.exe binary to the newly created directory.
- The malware proceeds to drop DAT and printui.dll files in the same directory to facilitate DLL side-loading for further exploitation.
Research into the execution chain has unearthed a connection to a more extensive cryptocurrency mining operation, with Zephyr Miner being one of the known payloads. In particular, some of the XMRig payloads observed in the binaries suggest the involvement of Monero cryptocurrency mining.
Links to Physical Shops
Interestingly, Stef Rand, Senior Intelligence Analyst at Red Canary, said when they began digging into this scourge, they found a report from February 2024 from someone who used their USB to make copies in a print shop in Turkey.
“When they put it back into their own machine, they detected activity that looked similar to Tangerine Turkey. This indicates a strong possibility the operation could be linked to physical shops or internet cafes where adversaries can take advantage of unsuspecting users plugging USBs into and out of public machines. While that’s a slower and lower-volume way of distributing malware than a phishing campaign, it makes it self-distributing and more difficult to trace – which makes it lower risk from the adversary’s perspective.”
Part of a Global Cryptomining Campaign
Tangerine Turkey is not operating in isolation. The worm is believed to be part of a broader campaign that has spread its tentacles across multiple regions, including a large-scale Universal Mining operation uncovered by Azerbaijan’s CERT in October 2024.
The investigation traced more than 270,000 infected machines across 135 countries, all linked to a global network distributing crypto-mining malware via USB drives.
This threat shares definitive overlaps with this Universal Mining operation, which also used VBScript files to begin the infection chain. In particular, it uses legitimate files like PostgreSQL client libraries to store critical information and manage remote resources. Also, the Universal Mining operation demonstrated its ability to hijack PostgreSQL databases for configuring the crypto mining payload.
Interestingly, XMRig (a well-known mining software) is being deployed by Tangerine Turkey to mine Monero. While the malware does not create configuration files locally, additional research revealed that the configuration data for XMRig is being retrieved from adversary-controlled resources, including GitHub repositories and domains like rootunv[.]com.
Key Indicators and Detection
Security analysts have sounded the alarm over the widespread nature of this worm’s activity, with the potential for more variants emerging as the operation expands. Key indicators of compromise (IOCs) include the relocation of printui.exe outside of the System32 directory, which is abnormal and suspicious behavior.
This is a key detection opportunity to identify compromised systems, as DLL hijacking and side-loading are hallmarks of this threat.
Several GitHub repositories were linked to the operation but have since been taken down. These were used to distribute configuration files for the XMRig payload and other components of the illicit operation.
The Bigger Picture
Looking ahead, Rand says: “External USB drives delivering malicious payloads—like worms and crypto miners—are still a surprisingly common problem in information security. What’s interesting here is that what initially looked like a new crypto-mining worm bears a strong similarity to a larger global operation uncovered by Azerbaijan’s CERT in October 2024. That investigation has so far traced 270,000 infections across 135 countries, attributed to what the Azerbaijan CERT has dubbed the ‘Universal Mining Operation.’ That suggests that Tangerine Turkey could be much more widespread than we first thought.”
Rand further explained the potential risks for those infected by the worm: “Cryptomining can consume significant amounts of CPU, so those infected by Tangerine Turkey could see their system performance impacted, as well as their energy costs increasing. The biggest risk they face, however, is the unauthorized access that adversaries gain to their endpoints. While the payload we’re seeing for now is for crypto mining, adversaries could theoretically switch it for something more nefarious in the future when Tangerine Turkey reaches out to retrieve code from remote resources.”
A Call for Vigilance and Action
Given the complexity and scale of the Tangerine Turkey campaign, Red Canary urges entities to be vigilant and take proactive steps to detect and mitigate the threat. USB drives are a significant vector for malware distribution, and businesses should not underestimate them. USB security protocols should be strictly enforced.
Red Canary is actively continuing research into this and similar threats and encourages other researchers to report any new findings. It is clear that Tangerine Turkey is far from an isolated case—its scope and sophistication suggest it is part of a larger, more pervasive problem in the cybersecurity landscape.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.