Know Your Adversary

Hello everyone! It may be not very common, but some adversaries still use infected USB devices for malware distribution, so today we'll look at an example of  Replication Through Removable Media (T1091) . The example is Tangerine Turkey . The adversary leverages infected USB devices to distribute cryptocurrency-mining malware. So, the infection starts from executing a malicious VBScript from a USB drive: C:\WINDOWS\System32\WScript.exe E:\rootdir\x817994.vbs It means we can hunt for suspicious scripts executed from external drives, for example, D:\, E:\ and F:\.  Let's build the query: event_type: "processcreatewin" AND proc_file_path: "wscript.exe" AND cmdline: ("d\\\:" OR "e\\\:" OR "f\\\:") See you tomorrow!

Hello everyone! In some cases even threat actors involved in cryptomining malware distribution leverage quite curious techniques. Today we'll look at an activity cluster colleagues from Red Canary track as  Tangerine Turkey (I like their taxonomy as well (Hi Katie and team :)). So, it's a worm, it's delivered via USB (yes, again), and it abuses printui.exe to run a cryptominer. Let's look how it works. Once the victim opens a malicious LNK file on an infected USB drive, wscript.exe executes a script: Look for suspicious VBS files executions from USB drives, for example:  WScript.exe "D:\rootdir\x455198.vbs" The script executes a BAT file from the same location. This file creates a new folder ( mkdir "\\?\C:\Windows \System32" ), abuses xcopy to copy printui.exe ( xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y ), copies malicious DAT file ( xcopy "x805299.dat" "%SystemDrive%\Windows \System32...