Comment
Author: Admin | 2025-04-28
Editors’ note: This blog was updated on January 30, 2025 to include additional technical details and indicators of compromise. Tangerine Turkey is Red Canary’s name for a Visual Basic Script (VBscript) worm that delivers a cryptomining payload. We first observed this activity in November 2024 (hence the choice of “turkey” for our typical color + bird naming convention). In December 2024, Tangerine Turkey cracked our top 10 threat rankings at #8, which we cover in our January 2025 Intelligence Insights. Our research into the activity cluster revealed a connection to a widespread—albeit relatively under-reported—cryptocurrency mining campaign that is still going strong, possibly with new malware variants.What is Tangerine Turkey?Delivered via USB, the Tangerine Turkey worm uses a printui dynamic link library (DLL) hijack to deliver cryptomining malware. The Red Canary Intelligence team has observed the following execution chain:A VBscript file executed from a folder named rootdir on a USB; the filename begins with an x followed by six random digits, for example: WScript.exe "D:\rootdir\x644291.vbs"A BAT file with similar naming convention to the VBscript file, executed via a CMD child process from wscript, for example: cmd.exe /c "D:\rootdir\x138621.bat"Creation of a folder named C:\Windows \System32 (note the trailing space after \Windows \)Use of xcopy to move a copy of the legitimate printui.exe binary from the legitimate C:\Windows\System32 to the newly created malicious C:\Windows \System32 directoryDAT and printui.dll files created in C:\Windows \System32 to be used for DLL side-loadingConnecting Tangerine Turkey to a world wide campaignThe details above are as far in the execution chain as we have directly observed. In our initial research we found a reference to malware matching Tangerine Turkey from February 2024. A post on a Turkish-language tech forum documented some of the above activity after inserting a USB they’d used in a copier at a “stationary store.” Then
Add Comment