A Warning on the Rise of Cryptomining Malware via Infected USB Devices
In a recent discovery by analysts from CyberProof’s Managed Detection and Response (MDR) team, a multi-stage malware attack delivered through infected USB devices has raised concerns about the persistence of cryptomining threats in 2025.
Details of the Attack
The campaign utilized DLL search order hijacking and PowerShell to evade security controls, with the ultimate goal of installing a cryptominer on targeted systems. This malware was found to be connected to previous Zephyr (XMRig) activity and was successfully blocked during the final stage by endpoint detection and response (EDR) tools.
The attack commences with a hidden Visual Basic script on USB drives, which, upon execution, triggers a series of processes involving xcopy.exe to transfer files to the Windows System32 directory. These files facilitate the loading of a malicious DLL responsible for downloading the cryptominer onto the system.
Global Impact and Response
Similar tactics were observed in an international cryptocurrency mining operation dubbed “Universal Mining,” revealed by Azerbaijan’s CERT in October 2024. CyberProof’s research uncovered that the campaign had spread across multiple countries, including the US, various European nations, Egypt, India, Kenya, Indonesia, Thailand, Vietnam, Malaysia, and Australia.
This widespread geographical reach underscores the ongoing threat posed by removable media as a prevalent malware distribution vector, affecting regions worldwide.
Recommended Security Measures
In light of these findings, organizations are advised to take proactive steps to mitigate the risk of cryptomining attacks via USB devices:
- Disable autorun and autoplay features on all systems
- Implement device control policies to block unsigned executables from USB drives
- Enhance endpoint security with EDR solutions capable of detecting obfuscated scripts
- Safeguard critical system processes like lsass.exe from credential theft attempts
- Enforce physical security measures, such as restricting or locking USB ports
Conclusion
CyberProof emphasizes that organizations without stringent USB policies remain vulnerable not only to cryptominer infections but also to insider threats that could lead to more severe breaches. Heightened awareness and proactive security measures are crucial in safeguarding against evolving cyber threats in the digital landscape.