Key conclusions:
- The multi-stage USB-critomy attack uses the DLL and PowerShell hijacking to install hidden miners on your computer.
- The most purposeful industries include financial, healthcare, education and telecommunications sectors.
- EDR tools, strict USB use policy and regular employee informing training are effective for mitigating such attacks based on USB.
Currently, there is a multi -stage cryptomic attack by USB. In case of success, this can allow cybercriminals to use your system to extract cryptocurrency without your knowledge.
In accordance with Conclusions of cyberizationA pre-infected USB device can lead to infection with backdor and allow cryptomize a multi-stage attack.
The attack is replaced Dynamic library (DLL) Order for the search for hijacking and PowerShell To circumvent safety control.
The cybersecurity company confirmed that the organizations managed to block the attack at their final stages, using the tools for detecting and response of the end points (EDR). We break the full story below for a clear understanding.
🚨 Consulting consultations on the threat: Analysts on the controlled detecting and response (MDR) revealed an infected USB device that caused a multi-stage attack chain using the theft of the search for DLL and PowerShell to detour protection. If you leave the uncontrolled, this can lead to the infection of the rear moves and … pic.twitter.com/hk882nsd5z
– Cyberazophilus (@cyberproofink) August 18, 2025
Constant, but not a new threat
The research group in cyberization found that the attack of malware USB is not new. It is associated with the early message of the crypto-major-theoretized as marshmallows or XMRIG.
In fact, they found that tactics, methods and procedures (TTP) used in the attack are similar to such Other Cryptomineer campaigns Since October 2024.
The attack is launched by an infected USB, which carries a malicious VBSCRIPT. When the script is executed, it launches a chain of processes, ultimately loading the malicious cryptoman into the user system.
A malicious cryptoman, also known as Cryptojacker– Is the malware, which secretly captures the victim’s computer resources, such as the processor, graphic processor and electricity, to extract cryptocurrency on behalf of the attacker.
The full process includes several steps, from the initial USB infection to the script, activation of packages and ultimately Cryptominer loading.
Here is a more detailed breakdown of how this USB -scriptomic attack works, from the initial stage to successful infiltration and crypto monitor.
Step 1: USB infection beginsStep 2: Activation of the command chainStep 3: Copying a file and creating catalogsStep 4: DLL abduction tuning
The user connects an infected USB -REC and unconsciously launches the VBScript file (called as X123456.VBS), stored in the USB Rootdir folder. This script is performed through the Windows script host (Wscrib.exe).
The Windows script host (Wscrib.exe) is a Windows tool that launches script files such as VBScript (.VBS) or JSCRIPT (.JS) directly in the system.
Then the VBSCRIPT launches a package file with a similar name (for example, X123456.BAT) using a command line (CMD.exe) as a subsidiary. This begins at the stage of automatic manipulation with files.
The package file (.bat) is a simple text file containing a list of commands that Windows launches one after another through the command line.
The package file uses xcopy.exe (Windows command line instrument to copy files and folders) to perform two key actions:
-
He copies the legal Printui.exe from C: \ Windows \ System32 to the recently created fake catalog C: \ Windows \ System32 (pay attention to additional space).
-
It puts a malicious .dat file in this fake catalog.
The .dat file is renamed in Printui.dll in a fake catalog. When copied by Printui.exe works from this place, Windows loads malicious printui.dll instead of the legitimate from the Real System32 folder. This comes from the rules for ordering a search for DLL.
When the program starts and needs DLL (a dynamic library), Windows follows a specific order to find it. By default, the first place he checks is the folder in which the EXE program is located.
The abuse printui.dll contains a code designed to download a crypto monitor.
If you find the aforementioned explanation too technical, here is a simple analogy that will help you understand the attack chain.
Imagine you keep the medicine in the closet. Once someone makes his way and puts a fake bottle that looks the same as your real medicine. When you reach this, you first capture fake, because it is right in your closet.
And just like a bottle of fake medicine, first Windows launches a fake hacker file, because it is located right where Windows expects that the real one will be.
Cyberazitis monitors and analyzed the compromise (IOC) indicators, which are red flags that help to detect cyber attacks to assess the prevalence of USB Cryptomining attack.
The team attracted the geographical distribution of attack, and some of the injured countries include the United States, Australia and Italy.
According to Cyberraphes Research, this USB -scriptomic attack was the most common in the following sectors:
- Financial institutions
- Educational institutions
- Medical industry
- Production sector
- Telecommunication industry
- Oil and gas
Although attackers and cybercriminals rarely discriminate, employees working in the above -mentioned industries should be especially attentive to potential threats.
How to stay safe from cryptomic attacks USB
While cryptomic attacks based on USB are especially insidious, it is impossible to protect from them. On the one hand, you should avoid connecting foreign USB to your computer – you never know if they are infected.
Here are a few more tips on protection against USB.
1. Disconnect the bus/autonomram
Disabling Autorun/Autoplay prevents automatic execution of programs on a USB device when connecting it. So far it is easy Disable Autorun/Autoplay to PC with WindowsBy default, the latest MacOS does not have a mechanism of auto -zagons.
For Windows, go to the settings – Bluetooth – Autoplay and install everything to “ask me every time”.
You can also use Group policy settings Disconnect the auto -tower/automatic organization throughout the organization.
2. Improving the safety of the final point
The endpoints are devices such as computers, laptops and smartphones connected to your network.
The implementation of the detection and response solutions of the endpoints (EDR) to protect the end point of Harden can help prevent the Cryptomic USB attacks. EDR tools can detect and block confusing malicious scenarios and control the final points for anomalies.
If you do not work in a professional environment, you can consider the possibility of installing an authoritative antivirus program in your system. He not only scans your USB -parave for malicious scenarios, but will probably have functions that block cryptomic attacks.
3. Improving physical security
The introduction of strong physical safety for USB ports prevents unauthorized access and protects from cryptomation, as well as dangerous threats based on USB, such as USB of the murder of attacksField
Make sure that USB portions in your organization are available only for those who sincerely need them.
You must also make a policy for using only protected from USB-disks. These USB-disks are only for reading, which means that no one can delete, edit or add data to them.
4. Train your employees
The training of your employees in safe USB practitioners is of great importance for protecting against attacks on the USB base.
Make a USB policy that:
- Prohibit the use of personal USB -disks at the workplace and BYOD control
- Teach employees recognition of the USB threats, such as USB drop attacks
- Determine the simple process for reporting incidents
If you need to use an unknown USB-disk, it should be connected only to the air system (a computer device not connected to your network or on the Internet).
USB devices remain a risk of security
USBS is a popular attack vector, because USB-based attacks are easy to perform.
The actor of the threat needs to reset infected USB devices only in common places, such as your parking, reception or toilet. A curious employee can connect the USB found to see what is on it.
If you do not have the proper USB safety, the attacker instantly gains an entrance point.
When 51% of malware attacks Designed for USB, you need to seriously treat USB safety.
To protect against attacks based on USB, you need to take a multi -layer approach. This includes the installation of authoritative EDR solutions, ensuring a strict USB policy, training employees and strengthening the physical security of USB ports.
The editorial policy of Tech Report is focused on providing useful, accurate content, which offers real value for our readers. We work only with experienced writers who have specific knowledge on topics that they cover, including the latest developments in the field of technology, confidentiality on the Internet, cryptocurrencies, software and much more. Our editorial policy guarantees that each topic is studied and supervised by our internal editors. We support strict journalistic standards, and each article is 100% written by real authors.
:quality(85):upscale()/2025/10/14/873/n/1922729/517537da68eeab605de738.24730103_.jpg?w=150&resize=150,150&ssl=1 "Marathon Moonlighters Keep Their Running Private")
