Tangerine Turkey is a new VBS worm spread via USBs with a cryptomining payload. Tangerine Turkey first appeared in November, but infections rose sharply last month to launch it into Red Canary’s top 10 threats at #8. More interestingly though, when Red Canary’s analysts started digging, they discovered the new worm appears to be connected to a much bigger global cryptomining operation, which has so far largely gone under the radar.
There is more background in the blog here – which is being updated later today with new information about GitHub repositories that Red Canary’s analysts discovered were being used to store configuration files for Tangerine Turkey.
Stef Rand, Senior Intelligence Analyst, Red Canary leading the investigation had this comment:
“External USB drives delivering malicious payloads–like worms and cryptominers–are still a surprisingly common problem in information security. What’s interesting here is that what initially looked like a new cryptomining worm bears strong similarity to a larger global operation uncovered by Azerbaijan’s CERT in October 2024. That investigation has so far traced 270,000 infections across 135 countries, attributed to what the Azerbaijan CERT has dubbed the “Universal Mining Operation”. That suggests that Tangerine Turkey could be much more widespread than we first thought.
“When we started digging into Tangerine Turkey, we found a report from February last year from someone who used their USB to make copies in a print shop in Turkey. When they put it back into their own machine, they detected activity that looked similar to Tangerine Turkey. This indicates a strong possibility the operation could be linked to physical shops or internet cafes where adversaries can take advantage of unsuspecting users plugging USBs into and out of public machines. While that’s a slower and lower-volume way of distributing malware than a phishing campaign, it makes it self-distributing and more difficult to trace – which makes it lower risk from the adversary’s perspective.
“Cryptomining can consume significant amounts of CPU, so those infected by Tangerine Turkey could see the performance of their systems impacted, as well as their costs increasing. The biggest risk they face, however, is the unauthorized access that adversaries gain to their endpoints. While the payload we’re seeing for now is for cryptomining, adversaries could theoretically switch it for something more nefarious in the future when Tangerine Turkey reaches out to retrieve code from remote resources.”
I would take the time to read this blog post as the fact that this uses USB drives to spread should underscore that some of the best ways to protect yourself from threats are often pretty simple. Such as not trusting USB drives that aren’t under your control. And perhaps not trusting the ones that are.
Like this:
Like Loading...
Related
This entry was posted on January 30, 2025 at 10:59 am and is filed under Commentary with tags Red Canary. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Red Canary Posts Analysis On “Tangerine Turkey” Worm
Tangerine Turkey is a new VBS worm spread via USBs with a cryptomining payload. Tangerine Turkey first appeared in November, but infections rose sharply last month to launch it into Red Canary’s top 10 threats at #8. More interestingly though, when Red Canary’s analysts started digging, they discovered the new worm appears to be connected to a much bigger global cryptomining operation, which has so far largely gone under the radar.
There is more background in the blog here – which is being updated later today with new information about GitHub repositories that Red Canary’s analysts discovered were being used to store configuration files for Tangerine Turkey.
Stef Rand, Senior Intelligence Analyst, Red Canary leading the investigation had this comment:
“External USB drives delivering malicious payloads–like worms and cryptominers–are still a surprisingly common problem in information security. What’s interesting here is that what initially looked like a new cryptomining worm bears strong similarity to a larger global operation uncovered by Azerbaijan’s CERT in October 2024. That investigation has so far traced 270,000 infections across 135 countries, attributed to what the Azerbaijan CERT has dubbed the “Universal Mining Operation”. That suggests that Tangerine Turkey could be much more widespread than we first thought.
“When we started digging into Tangerine Turkey, we found a report from February last year from someone who used their USB to make copies in a print shop in Turkey. When they put it back into their own machine, they detected activity that looked similar to Tangerine Turkey. This indicates a strong possibility the operation could be linked to physical shops or internet cafes where adversaries can take advantage of unsuspecting users plugging USBs into and out of public machines. While that’s a slower and lower-volume way of distributing malware than a phishing campaign, it makes it self-distributing and more difficult to trace – which makes it lower risk from the adversary’s perspective.
“Cryptomining can consume significant amounts of CPU, so those infected by Tangerine Turkey could see the performance of their systems impacted, as well as their costs increasing. The biggest risk they face, however, is the unauthorized access that adversaries gain to their endpoints. While the payload we’re seeing for now is for cryptomining, adversaries could theoretically switch it for something more nefarious in the future when Tangerine Turkey reaches out to retrieve code from remote resources.”
I would take the time to read this blog post as the fact that this uses USB drives to spread should underscore that some of the best ways to protect yourself from threats are often pretty simple. Such as not trusting USB drives that aren’t under your control. And perhaps not trusting the ones that are.
Share this:
Like this:
Related
This entry was posted on January 30, 2025 at 10:59 am and is filed under Commentary with tags Red Canary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.