Full Report
Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates the flow of a Tangerine Turkey campaign observed in Cybereason EDR. Tangerine Turkey is a threat actor identified as a visual basic script (VBS) worm used to facilitate cryptomining activity.
Analysis Summary
# Threat Actor: Tangerine Turkey
## Attribution & Identity
The threat actor is identified by Cybereason Security Services as the **Tangerine Turkey** campaign, characterized as a Visual Basic Script (VBS) worm used to facilitate cryptomining activity. No formal attribution to a nation-state or established group is mentioned beyond the internal moniker for this specific campaign targeting.
## Activity Summary
Tangerine Turkey operations focus on deploying VBScript and batch files to achieve persistence and distribute cryptomining payloads across victim environments. The campaign was first reported in late 2024 and has since expanded globally. The primary objective is financial gain through unauthorized cryptocurrency mining. The actor demonstrates capabilities for lateral movement and persistence but is not currently associated with ransomware deployment.
## Tactics, Techniques & Procedures
- **Initial Access:** Achieved via infected USB devices where a malicious VBScript (`x######.vbs`) executes upon insertion, launched by `wscript.exe`. (MITRE ATT&CK ID: T1091 – Replication Through Removable Media)
- **Execution:** Use of `wscript.exe` to execute VBScript, which subsequently spawns `cmd.exe` to run a malicious batch file (`x######.bat`). (MITRE ATT&CK ID: T1059, T1059.003)
- **Lateral Movement/Delivery:** Abusing Living-Off-The-Land Binaries (LOLBins) like `printui.exe`.
- **Defense Evasion/Masquerading:**
- Creating a mock directory (`C:\Windows \System32\` with a trailing space) to masquerade as the legitimate System32 directory.
- Copying malicious files (`printui.exe`, `x209791.dat`) into this mock directory using `xcopy.exe`. (MITRE ATT&CK ID: T1036)
- **DLL Sideloading/Privilege Escalation:** `printui.exe` is leveraged to sideload a malicious library (`svculdr64.dat`) alongside the legitimate `printui.dll`. (MITRE ATT&CK ID: T1574.001, T1055.001)
- **Defense Evasion (Impairing Defenses):** Using obfuscated PowerShell commands to add exclusions for the masqueraded System32 directory to Windows Defender settings (`Add-MpPreference -ExclusionPath "C:\Windows\System32"`). (MITRE ATT&CK ID: T1562)
- **Persistence:** Creating a malicious service using `sc create` to run a payload (e.g., `C:\Windows\System32\svchost.exe -k DcomLaunch`).
- **Command & Control and Tool Transfer:** Fetching miner configurations and downloading miner binaries (XMRig or Zephyr) from remote locations or GitHub. (MITRE ATT&CK ID: T1071.001, T1105)
- **Impact/Resource Hijacking:** Utilizing infected hosts for unauthorized cryptocurrency mining. (MITRE ATT&CK ID: T1496)
- **Anti-Forensics:** Attempting to delete the dropped payload (`svculdr64.dat`) and making destructive commands like `rmdir /s /q "C:\Windows\"` (which likely fail or act as a diversion).
## Targeting
- **Sectors:** Organizations across multiple industries (indiscriminate targeting).
- **Geography:** Global expansion observed since late 2024.
- **Victims:** Organizations targeted indiscriminately. No specific victim names were provided in the context.
## Tools & Infrastructure
- **Malware Families Used:** VBScript Worms, Batch Files, XMRig (Cryptocurrency Miner), Zephyr Miner.
- **LOLBins Abused:** `wscript.exe`, `cmd.exe`, `printui.exe`, `xcopy.exe`.
- **Payload Components:** `svculdr64.dat` (malicious library), `x209791.dat` (payload component).
- **Infrastructure:** C2/download source mentioned includes `rootunv*[.]com` and GitHub.
## Implications
Tangerine Turkey poses a significant threat due to its reliance on readily available removable media for initial infection, suggesting high-volume, opportunistic spread. While primarily focused on cryptojacking (financial motivation), the actor's demonstrated tradecraft, including DLL sideloading, LOLBin abuse, and disabling local security controls (Windows Defender exclusions), indicates a baseline level of sophistication that could shift to more destructive or financially damaging operations like ransomware deployment in the future.
## Mitigations
- Implement measures to control the use of removable media (USB drives) to prevent initial VBScript execution.
- Monitor for the execution of legitimate utilities like `wscript.exe` or `cmd.exe` launching scripts from unusual locations (e.g., removable drives).
- Monitor for the use of LOLBins in unusual sequences, specifically focusing on `printui.exe` interacting with `printui.dll`.
- Monitor for the creation of services via `sc create` or modifications to Windows Defender preferences (`Add-MpPreference`).
- Harden endpoints against DLL Sideloading attempts by enforcing stronger file integrity checks, especially within directory paths that are being manipulated.