Hunter-Case-02 - Tangerine Turkey worm and DLL Hijacking
- DLL Hijacking Order
1.) Information
Hunter Blue's day started with another interesting Case about a USB Worm installation on customer devices alerted in SOC Department which we also hunted through our monthly Threat Hunting Service.
Threat actors involved in cryptomining malware distribution leverage quite curious techniques.
It abuses printui.exe to run a cryptominer
The Attackchain was prevented by XDR System but there are some essential things you should know how to investigate the right way.
You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.
1.1) Information Links and Research
Threat Intel Information: https://redcanary.com/blog/threat-intelligence/tangerine-turkey/
IR Teammate Tweet: https://x.com/malmoeb/status/1679429864527413248
Threat Hunting and executions from uncomman File Paths: https://www.socinvestigation.com/detections-of-malware-execution-from-unusual-directories/
Threat Post of Oleg: https://www.knowyouradversary.ru/2025/01/026-threat-actors-abuse-printuiexe-for.html
Recommendations for USB Devices in your company: https://connectivitycenter.com/11-best-practices-for-securing-usb-devices-on-a-network/
Profiling System32 binaries to detect DLL Search Order Hijacking: https://redcanary.com/blog/threat-detection/system32-binaries/
2.) Attack Chain
3.) Initial Access
checking for buzzwords in Timeline for USB connected Events
USBSTOR
USBSTOR.SYS
Plug and Play device
Generic Flash Disk
USB Device
Registry: HKLM\System\CurrentControlSet\SErvices\USBSTOR
USB Device plugged in by different users using the same shared USB Drive
My Teammate talked about infected USB sticks before [1]. The XDR on a customer site picked up malicious behavior, including the commands:
D: -> used USB Device seen in the USB Connected Timeline -> "Initital Entry Point was an USB Device shared by different employees"
This behavior aligns with the tactics described in the red canary blog post here
Threat Intel Information: https://redcanary.com/blog/threat-intelligence/tangerine-turkey/
The USB stick was plugged into three different devices, resulting in alerts on these hosts.
As pointed out in the beginning, alerts from malicious USB sticks are common, and one must also raise awareness amongst users about the dangers of malicious code on USB sticks.
3.2) Infection execution commands
This pseudo detection analytic identifies instances of printui.exe relocated outside of Windows\System32
4.) Finding through Threat Hunting
We hunted through the Datalake logs in the whole infrastructure and, yes you guess it right, we found another hosts executing the same stuff to download the malicious file from this USB Device.
Hunting for DLL Search Order Hijacking
5.) Mitigation
The initial breach may occur via infected USB Devices or also via Email Attachements
Email Policy Limitation:
Limit Email Attachements to known and legit files (Whitelisting and no Blacklisting) on Email GW
USB Policy Limitiation:
Limiting the usage of USB devices within an organization helps reduce potential risks associated with unknown hardware connected via USB ports on computers
Establishing policies regarding the acceptable use of USB drives by employees within an organization helps ensure compliance with industry standards
Awareness Trainings:
Therefore Awareness Trainings is essential in your company to teach your users in an easy way how such malicious operations are executed (Do some fun Awareness Campaigns so that your users learn something and do not blame them as they do not know these attacks ;) )
Disable USB Devices:
Disabling USB ports prevents unknown devices from connecting directly to a computer’s port
Disable Autorun:
Disabling autorun settings can help reduce potential risks posed by malicious programs embedded in files stored on an external drive or transferred over the internet via email attachments or downloads from untrusted sources
Monitoring the Access:
To prevent unauthorized access to your network via a USB device, it is important to monitor who has access.
System and Prevention Configuration:
Attack Surface Reduction Rules for Application to reduce the execution chain of malicious files
Application Control to block malicious executions or Next Gen WDAC
Exercise Caution: Only download and open files from trusted and verified sources.
Check File Extensions: Ensure files have appropriate extensions before opening (.zip files, dat files, vbs files).
Report Suspicious Activity: If you encounter unexpected files or activities, report them immediately for further investigation.
6.) Detection and Hunting
Look for suspicious VBS files executions from USB drives, for example: WScript.exe
Look for the creation of system folders with a trailing space (e.g. "Windows ")
Look for copying of system binaries to suspicious locations
Threat Hunting and executions from uncomman File Paths: https://www.socinvestigation.com/detections-of-malware-execution-from-unusual-directories/
Looks for printui.exe executions from unexpected locations
Look for renaming DAT files to DLL files
Also my colleague from Incident Response Team explained it in his Blogpost: https://x.com/malmoeb/status/1679429864527413248 if you want to check how such commands are misused by Threat Actors.
6.1) Sigma Rules
6.2) Yara Rules
6.3) Hunting Queries Tanium
6.4) Hunting Queries Defender XDR
7.) Conclusion and Learning for a Hunter Blue
The XDR System prevented the Malware Stageing on these Devices but its definitely necessary to check during Hunting or Initial Triage how Malware was staged
-> in this case it was an infected shared USB Device in the company and showcasing how fruitful Time Line Analysis can be and should be used in such cases -> it is essential.
Last updated
