Threat Research

CoinMiner Malware Being Continuously Distributed via USB

Ahnlab
CoinMiner Malware Being Continuously Distributed via USB

Researchers from AhnLab ASEC and Mandiant confirmed USB-based propagation of CoinMiner-related campaigns in South Korea that deploy PrintMiner and install XMRig to mine Monero. The infection chain uses a visible ‘USB Drive.lnk’ shortcut that launches VBS/BAT droppers, side-loads a malicious DLL via printui.exe, registers a payload with the DcomLaunch service, exempts its folder from Windows Defender, and retrieves encrypted payloads from C2 servers. #PrintMiner #XMRig

Keypoints

  • Infection is propagated via removable media: a visible ‘USB Drive.lnk’ shortcut and hidden ‘sysvolume’ and ‘USB Drive’ folders trick users into executing the malware while preserving original user files.
  • The initial LNK launches a VBS file (e.g., ‘u566387.vbs’) which executes a BAT (e.g., ‘u643257.bat’) that copies a dropper (‘u211553.dat’ renamed to ‘printui.dll’) and runs it via the legitimate ‘printui.exe’ to achieve execution.
  • A multi-stage dropper chain is used: printui.dll → svcinsty64.exe → svctrl64.exe → final DLL (e.g., ‘u826437.dll’) which is registered to the DcomLaunch service for persistence and execution.
  • PrintMiner configures Windows Defender exclusions, adjusts power settings to prevent sleep, collects system info (CPU/GPU), decrypts downloaded payloads, and stages XMRig in ‘%SystemDirectory%wsvcz’ for Monero mining.
  • XMRig is launched with specific parameters (connects to ‘r2.hashpoolpx[.]net:443’ with TLS fingerprint) and includes logic to avoid running when certain processes (process monitoring tools and game clients) are present.
  • IOCs include MD5 hashes, hosted URLs and IP (2[.]58[.]56[.]13), and FQDNs (r2.hashpoolpx[.]net, umnsrx[.]net); AhnLab V3 detections list multiple Trojan/CoinMiner signatures.

MITRE Techniques

  • [T1091 ] Replication Through Removable Media – USB drives are used to spread the malware via a visible shortcut and hidden folders (‘The infected USB shows the “USB Drive.lnk” file, and there are also “sysvolume” and “USB Drive” folders in hidden attributes.’)
  • [T1204.002 ] User Execution: Malicious File – The attack relies on user double-clicking a shortcut to execute VBS/BAT droppers (‘Typically, when a user inserts a USB drive … they would double-click the “USB Drive.lnk” file to execute it.’)
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBS scripts are used to launch the BAT droppers and subsequent payloads (‘The “USB Drive.lnk” shortcut file executes VBS malware with a name consisting of a random set of six digits …’)
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – BAT scripts perform file operations and launch executables to deploy the dropper chain (‘The BAT malware opens the “USB Drive” folder … creates a folder … and copies the “u211553.dat” dropper malware into it, renaming it as “printui.dll”.’)
  • [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – The malicious ‘printui.dll’ is loaded by the legitimate ‘printui.exe’ to execute the dropper (‘It then copies the “printui.exe” file … before executing it. This allows the “printui.dll” (i.e., “u211553.dat”) malware to be loaded and executed by the legitimate “printui.exe” program.’)
  • [T1543.003 ] Create or Modify System Process: Windows Service – The final DLL is registered with the DcomLaunch service for persistent execution (‘svctrl64.exe … creates a DLL … and registers it with the DcomLaunch service.’)
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – The malware registers its installation path as a Windows Defender exception to avoid detection (‘PrintMiner registers the installation path as an exception folder in Windows Defender’).
  • [T1057 ] Process Discovery – The malware enumerates running processes and checks for process inspection tools and game clients to decide when to run or terminate XMRig (‘the thread responsible for executing XMRig examines the currently running processes, and only executes XMRig when specific processes are not running’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and payload retrieval use HTTPS/TLS to communicate with remote servers (XMRig parameter: ‘ -o r2.hashpoolpx[.]net:443 –tls …’).
  • [T1027 ] Obfuscated Files or Information – Downloaded payloads are encrypted and require a decryption process prior to installation (‘The downloaded files are encrypted, so a decryption process is also carried out.’)
  • [T1496 ] Resource Hijacking – The ultimate goal is cryptomining (Monero) using installed XMRig to consume system resources (‘installed XMRig to mine Monero coins’).

Indicators of Compromise

  • [MD5 ] sample dropper and miner file hashes – 1cf4a8bfd59d5f04be313d2fa3af5f5a, 248eed41f083c5de46a15c2b9f30303e, and 3 more hashes
  • [URL ] payload/C2 download URLs – http[:]//2[.]58[.]56[.]13/inf[.]dat, http[:]//2[.]58[.]56[.]13/utl/xmr[.]dat (used to host/download encrypted payloads)
  • [FQDN ] C2 / mining endpoints – r2[.]hashpoolpx[.]net (XMRig pool endpoint), umnsrx[.]net
  • [IP ] infrastructure host – 2[.]58[.]56[.]13 (host serving payloads and C2)
  • [File names ] key filenames used in the attack chain – ‘USB Drive.lnk’ (shortcut used to trigger execution), ‘printui.dll’/’u211553.dat’ (dropper DLL), ‘svcinsty64.exe’ and ‘svctrl64.exe’ (internal droppers)

Read more: https://asec.ahnlab.com/en/91415/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint