SOC Prime Bias: Medium

05 Dec 2025 17:36
newspaper icon ASEC

CoinMiner Malware Continues to Spread via USB Drives

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
CoinMiner Malware Continues to Spread via USB Drives
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


SUMMARY

CoinMiner malware continues to propagate through USB drives in South Korea, leveraging a hidden shortcut that triggers VBS and BAT scripts, which in turn stage multiple components that ultimately deliver a cryptocurrency-mining payload.

Investigation

The report outlines the directory structure on the infected USB, the execution chain from the shortcut through multiple dropper stages, registration under the DcomLaunch service, and deployment of PrintMiner and XMRig cryptocurrency miners.

Mitigation

Users should keep OS and software patched, block execution of untrusted shortcut files, use up-to-date antivirus tools, and deny access to known malicious infrastructure.

Response

Detect the malicious shortcut and its related scripts, monitor for creation of dropper files and DCOM registrations, and block network traffic to the identified mining command-and-control domains and IP address.

“`mermaid graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#66cc66 classDef file fill:#ffcc66 classDef process fill:#c266ff classDef malware fill:#ff6666 classDef network fill:#cccccc %% Nodes action_usb_insert[“<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b>: User inserts compromised USB drive containing a hidden shortcut.”] class action_usb_insert action tool_shortcut[“<b>Tool</b> – <b>T1547.009 Shortcut Modification</b>: Hidden LNK shortcut \”USB Drive.lnk\” visible to user.”] class tool_shortcut tool tool_vbscript[“<b>Tool</b> – <b>T1059.005 Visual Basic</b>: Shortcut launches a Visual Basic script.”] class tool_vbscript tool tool_batch[“<b>Tool</b> – <b>T1059.003 Windows Command Shell</b>: VBScript runs a batch file.”] class tool_batch tool file_malicious_dll[“<b>File</b> – <b>T1036.005 Masquerading: Match Legitimate Name</b> & <b>T1036.008 Masquerading: Double Extension</b>: Malicious DLL \”printui.dll\” (renamed from .dat) dropped to C:\\Windows\\System32 using hidden directories.”] class file_malicious_dll file process_printui[“<b>Process</b> – <b>T1055.001 Process Injection</b> & <b>T1574.001 DLL Hijacking</b>: Legitimate printui.exe loads the malicious DLL.”] class process_printui process tool_dcom[“<b>Tool</b> – <b>T1546.015 Server Software Component</b> & <b>T1021.003 DCOM</b>: Registers the DLL with a DCOM service for persistence.”] class tool_dcom tool file_svcinsty[“<b>File</b>: Executable \”svcinsty64.exe\” created by dropper to install final payload.”] class file_svcinsty file file_svctrl[“<b>File</b>: Executable \”svctrl64.exe\” created by dropper as helper.”] class file_svctrl file malware_printminer[“<b>Malware</b> – PrintMiner: Adds Windows Defender exclusion, spoofs security alerts, prepares miner download.”] class malware_printminer malware tool_defender_exclusion[“<b>Tool</b> – <b>T1564.012 Disk Content Spoofing</b> & <b>T1562.011 Modify Registry</b>: Modifies Defender exclusion list to hide activity.”] class tool_defender_exclusion tool network_c2[“<b>Network</b> – <b>T1071.001 Web Protocols</b>, <b>T1102.002 Web Services</b>, <b>T1102.003 Ingress Tool Transfer</b>: HTTPS communication with command‑and‑control to retrieve configuration and download miner.”] class network_c2 network malware_xmrig[“<b>Malware</b> – XMRig: Open‑source Monero miner downloaded and executed.”] class malware_xmrig malware action_compute_hijack[“<b>Action</b> – <b>T1496.001 Resource Hijacking</b>: Executes XMRig to mine cryptocurrency while evading analysis tools.”] class action_compute_hijack action action_replication[“<b>Action</b> – <b>T1091 Replication Through Removable Media</b>: Recreates shortcut and hidden files on other USB drives.”] class action_replication action %% Connections action_usb_insert –>|creates| tool_shortcut tool_shortcut –>|launches| tool_vbscript tool_vbscript –>|executes| tool_batch tool_batch –>|drops| file_malicious_dll file_malicious_dll –>|loaded by| process_printui process_printui –>|establishes persistence via| tool_dcom tool_dcom –>|creates| file_svcinsty tool_dcom –>|creates| file_svctrl file_svcinsty –>|installs| malware_printminer file_svctrl –>|supports| malware_printminer malware_printminer –>|adds exclusion using| tool_defender_exclusion malware_printminer –>|communicates with| network_c2 network_c2 –>|delivers| malware_xmrig malware_xmrig –>|executes| action_compute_hijack action_compute_hijack –>|triggers| action_replication action_replication –>|places| tool_shortcut “`

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands:

    1. Stage 1 – Drop a malicious DLL: The adversary copies a crafted printui.dll to the same directory as printui.exe (simulating a driver payload delivered via a USB device).
    2. Stage 2 – Execute printui.exe: By invoking printui.exe with the /ml switch (malicious load), the malicious DLL is loaded, generating a process‑creation event that matches the rule’s selection (Image endswith \printui.exe) while also satisfying the filter condition (Image contains printui.dll). The rule excludes this case, so the attacker adds a second step to bypass it.
    3. Stage 3 – Execute svcinsty64.exe: The attacker registers a new service pointing to a payload binary (payload.exe) stored on the USB drive. This action creates a process‑creation event for svcinsty64.exe, satisfying the rule’s selection without triggering the filter, thus generating an alert.

  • Regression Test Script: The script below automates the three stages, ensuring reproducibility.

    # -------------------------------------------------
# Regression Test – Trigger Sigma rule for printui.exe / svcinsty64.exe
# -------------------------------------------------
$dllPath = "$env:TEMP\printui.dll"
$exePath = "$env:SystemRoot\System32\printui.exe"
$svcInstPath = "$env:SystemRoot\System32\svcinsty64.exe"
$payloadPath = "$env:TEMP\payload.exe"

# 1️⃣ Drop a dummy malicious DLL (binary content not important for detection)
Write-Host "[*] Creating dummy malicious DLL at $dllPath"
Set-Content -Path $dllPath -Value ([byte[]](0..255)) -Encoding Byte

# 2️⃣ Execute printui.exe (benign load) – should NOT fire due to filter
Write-Host "[*] Running benign printui.exe (will be filtered out)"
Start-Process -FilePath $exePath -ArgumentList "/p" -Wait

# 3️⃣ Execute printui.exe with malicious DLL loading – filtered out (expected)
Write-Host "[*] Running printui.exe with malicious DLL (filtered case)"
Start-Process -FilePath $exePath -ArgumentList "/ml `$dllPath`" -Wait

# 4️⃣ Prepare a dummy payload executable (simple CMD script compiled to exe)
Write-Host "[*] Creating dummy payload executable"
$payloadSource = @"
@echo off
echo Payload executed > $env:TEMP\payload_output.txt
"@
$payloadScript = "$env:TEMP\payload.bat"
$payloadSource | Set-Content -Path $payloadScript -Encoding ASCII
# Convert .bat to .exe using iexpress (built‑in)
$iexpress = "$env:SystemRoot\System32\iexpress.exe"
$config = "$env:TEMP\iexpress.sed"
@"
[Version]
Version=3.0
[Options]
ExtractTitle=Payload
ExtractLocation=%TEMP%
ShowProgress=0
HideExtractWindow=1
[SourceFiles]
SourceFiles=0
%TEMP%\payload.bat
[Run]
RunCommand="%TEMP%\payload.bat"
"@ | Set-Content -Path $config -Encoding ASCII
& $iexpress /N /Q /M $config
Move-Item -Path "$env:TEMP\Payload.exe" -Destination $payloadPath -Force

# 5️⃣ Register a malicious service using svcinsty64.exe – SHOULD FIRE
Write-Host "[*] Registering malicious service via svcinsty64.exe"
$svcName = "MaliciousSvc"
$svcDisplay = "Malicious Service"
$svcCmd = "`"$payloadPath`""
$svcArgs = "/install `$svcName` `$svcDisplay` `$svcCmd`"
Start-Process -FilePath $svcInstPath -ArgumentList $svcArgs -Wait

# 6️⃣ Clean up service
Write-Host "[*] Removing malicious service"
$removeArgs = "/uninstall `$svcName`"
Start-Process -FilePath $svcInstPath -ArgumentList $removeArgs -Wait

# 7️⃣ Remove temporary artifacts
Write-Host "[*] Cleaning temporary files"
Remove-Item -Path $dllPath -Force -ErrorAction SilentlyContinue
Remove-Item -Path $payloadPath -Force -ErrorAction SilentlyContinue
Remove-Item -Path $payloadScript -Force -ErrorAction SilentlyContinue
Write-Host "[+] Test completed"

  • Cleanup Commands: (If the above script fails or you prefer manual cleanup)

    # Remove the malicious service if still present
$svcName = "MaliciousSvc"
$svcInstPath = "$env:SystemRoot\System32\svcinsty64.exe"
& $svcInstPath /uninstall $svcName

# Delete temporary DLL and payload
Remove-Item -Path "$env:TEMP\printui.dll" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMP\payload.exe" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMP\payload.bat" -Force -ErrorAction SilentlyContinue

# (Optional) Verify no leftover services
Get-Service -Name $svcName -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free