Hunter-Case-02 - Tangerine Turkey worm and DLL Hijacking
- DLL Hijacking Order
1.) Information
Hunter Blue's day started with another interesting Case about a USB Worm installation on customer devices alerted in SOC Department which we also hunted through our monthly Threat Hunting Service.
Threat actors involved in cryptomining malware distribution leverage quite curious techniques.
It abuses printui.exe to run a cryptominer
The Attackchain was prevented by XDR System but there are some essential things you should know how to investigate the right way.
You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.
1.1) Information Links and Research
Threat Intel Information: https://redcanary.com/blog/threat-intelligence/tangerine-turkey/
IR Teammate Tweet: https://x.com/malmoeb/status/1679429864527413248
Threat Hunting and executions from uncomman File Paths: https://www.socinvestigation.com/detections-of-malware-execution-from-unusual-directories/
Threat Post of Oleg: https://www.knowyouradversary.ru/2025/01/026-threat-actors-abuse-printuiexe-for.html
Recommendations for USB Devices in your company: https://connectivitycenter.com/11-best-practices-for-securing-usb-devices-on-a-network/
Profiling System32 binaries to detect DLL Search Order Hijacking: https://redcanary.com/blog/threat-detection/system32-binaries/
2.) Attack Chain
3.) Initial Access
checking for buzzwords in Timeline for USB connected Events
USBSTOR
USBSTOR.SYS
Plug and Play device
Generic Flash Disk
USB Device
Registry: HKLM\System\CurrentControlSet\SErvices\USBSTOR
USB Device plugged in by different users using the same shared USB Drive
My Teammate talked about infected USB sticks before [1]. The XDR on a customer site picked up malicious behavior, including the commands:
D: -> used USB Device seen in the USB Connected Timeline -> "Initital Entry Point was an USB Device shared by different employees"
This file creates a new folder (mkdir "\\?\C:\Windows \System32") abuses xcopy to copy printui.exe (xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y) copies malicious DAT file (xcopy "x<6-DIGIT-Number>.dat" "%SystemDrive%\Windows \System32" /Y) renames this DAT file (ren "%SystemDrive%\Windows \System32\x<6-DIGIT-Number>.dat" "printui.dll") executes printui.exe for DLL Search Order Hijacking (start "" "%SystemDrive%\Windows \System32\printui.exe"):
#wscript.exe executed a script
#VBscript file executed from a folder named rootdir on a USB
wscript.exe "D:\rootdir\x<6-DIGIT-Number>.vbs"
#script executes a BAT file from the same location.
#BAT file with similar naming convention to the VBscript file
#executed via a CMD child process from wscript
cmd.exe /c ""D:\rootdir\x<6-DIGIT-Number>.bat" "
#xcopy.exe created file printui.exe
xcopy "C:\Windows\System32\printui.exe" "C:\Windows \System32" /Y
#cmd.exe moved file printui.dll
xcopy.exe
xcopy "x<6-DIGIT-Number>.dat" "C:\Windows \System32" /Y
This behavior aligns with the tactics described in the red canary blog post here
Threat Intel Information: https://redcanary.com/blog/threat-intelligence/tangerine-turkey/
The USB stick was plugged into three different devices, resulting in alerts on these hosts.
As pointed out in the beginning, alerts from malicious USB sticks are common, and one must also raise awareness amongst users about the dangers of malicious code on USB sticks.
3.2) Infection execution commands
This pseudo detection analytic identifies instances of printui.exe relocated outside of Windows\System32
4.) Finding through Threat Hunting
We hunted through the Datalake logs in the whole infrastructure and, yes you guess it right, we found another hosts executing the same stuff to download the malicious file from this USB Device.
Hunting for DLL Search Order Hijacking
#following is a list of 114 System32 binaries which were also
#identified being abused with this technique
alg.exe
applicationframehost.exe
applysettingstemplatecatalog.exe
bde.exe
bdechangepin.exe
bdeuisrv.exe
bdeunlock.exe
bitlockerwizard.exe
changepk.exe
cloudnotifications.exe
compmgmtlauncher.exe
computerdefaults.exe
conhost.exe
consent.exe
credwiz.exe
cscunpintool.exe
ctfmon.exe
cttune.exe
dccw.exe
ddodiag.exe
devicepairingwizard.exe
dfsvc.exe
dialer.exe
diskpart.exe
dism.exe
dmnotificationbroker.exe
dpapimig.exe
dpnsvr.exe
dvdplay.exe
dxgiadaptercache.exe
dxpserver.exe
easeofaccessdialog.exe
ehstorauthn.exe
eudcedit.exe
eventvwr.exe
filehistory.exe
fontdrvhost.exe
fvenotify.exe
fveprompt.exe
gamepanel.exe
genvalobj.exe
gfxdownloadwrapper.exe
hvax64.exe
hvix64.exe
ie4ushowie.exe
isoburn.exe
licensingui.exe
logoff.exe
lpksetup.exe
mdeserver.exe
mdmagent.exe
mdmappinstaller.exe
mfpmp.exe
mousocoreworker.exe
msdt.exe
msra.exe
musnotificationux.exe
netplwiz.exe
netsupport.exe
nltest.exe
node-renamed.exe
odbcad32.exe
omadmclient.exe
optionalfeatures.exe
passwordonwakesettingflyout.exe
perfmon.exe
presentationsettings.exe
printfilterpipelinesvc.exe
proximityuxhost.exe
quickassist.exe
rasphone.exe
rdpclip.exe
rdpinput.exe
rdpsa.exe
rdpsauachelper.exe
rdvghelper.exe
recdisc.exe
recoverydrive.exe
regedt32.exe
rrinstaller.exe
rstrui.exe
rurat.exe
sdiagnhost.exe
securityhealthsystray.exe
sessionmsg.exe
shrpubw.exe
sihost.exe
sppextcomobj.exe
sppsvc.exe
susp-dir.exe
sysreseterr.exe
systempropertiesadvanced.exe
systempropertiescomputername.exe
systempropertiesdataexecutionprevention.exe
systempropertieshardware.exe
systempropertiesperformance.exe
systempropertiesprotection.exe
systempropertiesremote.exe
systemreset.exe
systemsettingsremovedevice.exe
tabcal.exe
tpminit.exe
ttdinject.exe
tttracer.exe
upfc.exe
upgraderesultsui.exe
usocoreworker.exe
vmcompute.exe
wfs.exe
windowsactiondialog.exe
wlrmdr.exe
wmpdmc.exe
wpcmon.exe
wsatconfig.exe5.) Mitigation
The initial breach may occur via infected USB Devices or also via Email Attachements
Email Policy Limitation:
Limit Email Attachements to known and legit files (Whitelisting and no Blacklisting) on Email GW
USB Policy Limitiation:
Limiting the usage of USB devices within an organization helps reduce potential risks associated with unknown hardware connected via USB ports on computers
Establishing policies regarding the acceptable use of USB drives by employees within an organization helps ensure compliance with industry standards
Awareness Trainings:
Therefore Awareness Trainings is essential in your company to teach your users in an easy way how such malicious operations are executed (Do some fun Awareness Campaigns so that your users learn something and do not blame them as they do not know these attacks ;) )
Disable USB Devices:
Disabling USB ports prevents unknown devices from connecting directly to a computer’s port
Disable Autorun:
Disabling autorun settings can help reduce potential risks posed by malicious programs embedded in files stored on an external drive or transferred over the internet via email attachments or downloads from untrusted sources
Monitoring the Access:
To prevent unauthorized access to your network via a USB device, it is important to monitor who has access.
System and Prevention Configuration:
Attack Surface Reduction Rules for Application to reduce the execution chain of malicious files
Application Control to block malicious executions or Next Gen WDAC
Exercise Caution: Only download and open files from trusted and verified sources.
Check File Extensions: Ensure files have appropriate extensions before opening (.zip files, dat files, vbs files).
Report Suspicious Activity: If you encounter unexpected files or activities, report them immediately for further investigation.
6.) Detection and Hunting
Look for suspicious VBS files executions from USB drives, for example: WScript.exe
Look for the creation of system folders with a trailing space (e.g. "Windows ")
Look for copying of system binaries to suspicious locations
Threat Hunting and executions from uncomman File Paths: https://www.socinvestigation.com/detections-of-malware-execution-from-unusual-directories/
Looks for printui.exe executions from unexpected locations
Look for renaming DAT files to DLL files
Also my colleague from Incident Response Team explained it in his Blogpost: https://x.com/malmoeb/status/1679429864527413248 if you want to check how such commands are misused by Threat Actors.
6.1) Sigma Rules
6.2) Yara Rules
6.3) Hunting Queries Tanium
#Query Tanium:
##Check Processes with suspicious executions from Threat Actors during staging and post exploitation
#Check File, Process and Network Connections which are uncommon for your infrastructure
#Mal-Exec-01
Get Trace Executed Processes[unlimited,1738827886581|1738831485581,1,0,100,0,"(?i).*(wscript.exe|attrib.exe|xcopy.exe|7za.exe|7zr.exe|printui.exe).*","","","","",""] from all machines
#Mal-Exec-02
Get Trace File Operations[unlimited,1739284707025|1739288306025,1,0,100,0,"","","(?i).*(wscript.exe|attrib.exe|xcopy.exe|7za.exe|7zr.exe|printui.exe).*","",""] from all machines
#Mal-Exec-03
Get Trace Network Connections[unlimited,1739284847846|1739288446846,1,0,100,0,0,"","","","","(?i).*(wscript.exe|attrib.exe|xcopy.exe|7za.exe|7zr.exe|printui.exe).*","",""] from all machines
6.4) Hunting Queries Defender XDR
#Mal-Exec-01
#Process Executions
let MalExecutables=pack_array('wscript.exe', 'xcopy.exe','attrib.exe', '7za.exe', '7zr.exe', 'printui.exe');
DeviceProcessEvents
| where InitiatingProcessFileName has_any (MalExecutables) or FileName has_any (MalExecutables)
#Mal-Exec-02
#Device Image Load Events
let MalExecutables=pack_array('wscript.exe', 'xcopy.exe','attrib.exe', '7za.exe', '7zr.exe', 'printui.exe');
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath has_any (MalExecutables)
| project Timestamp,DeviceId, DeviceName,InitiatingProcessAccountUpn, InitiatingProcessAccountName, ActionType,FileName, FolderPath, MD5, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessFileName,InitiatingProcessParentFileName
#Mal-Exec-03
#checking InitiatingProcessVersionInfoFileDescription
let MalExecutables=pack_array('<check file descriptions from these executables and paste here>');
DeviceImageLoadEvents
| where InitiatingProcessVersionInfoFileDescription has_any (MalExecutables)
| project Timestamp,DeviceId, DeviceName,InitiatingProcessAccountUpn, InitiatingProcessAccountName, ActionType,InitiatingProcessVersionInfoFileDescription, FileName, FolderPath, MD5, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessFileName,InitiatingProcessParentFileName
//| distinct InitiatingProcessVersionInfoFileDescription
#Mal-Exec-04
#Network Events from suspicious Process in Commandline
let MalExecutables=pack_array('wscript.exe', 'xcopy.exe','attrib.exe', '7za.exe', '7zr.exe', 'printui.exe');
DeviceNetworkEvents
| where InitiatingProcessCommandLine has_any (MalExecutables)
| project Timestamp, DeviceId, DeviceName,InitiatingProcessAccountUpn, InitiatingProcessAccountName, ActionType,RemoteIP,RemotePort ,RemoteUrl ,InitiatingProcessFileName,InitiatingProcessParentFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath
#Mal-Exec-06
#Checking FileEvents from malicious processes in Commandline
let MalExecutables=pack_array('wscript.exe', 'xcopy.exe','attrib.exe', '7za.exe', '7zr.exe', 'printui.exe');
DeviceFileEvents
| where InitiatingProcessCommandLine has_any (MalExecutables)
| project Timestamp,DeviceId, DeviceName,InitiatingProcessAccountUpn, InitiatingProcessAccountName, ActionType,FileName, FolderPath, MD5, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessFileName,InitiatingProcessParentFileName
7.) Conclusion and Learning for a Hunter Blue
The XDR System prevented the Malware Stageing on these Devices but its definitely necessary to check during Hunting or Initial Triage how Malware was staged
-> in this case it was an infected shared USB Device in the company and showcasing how fruitful Time Line Analysis can be and should be used in such cases -> it is essential.
Last updated