Cybercriminals Exploit USB Drives to Spread CoinMiner Malware in South Korea
In a concerning development, cybercriminals are actively distributing CoinMiner malware via USB drives, specifically targeting workstations across South Korea to illicitly mine Monero cryptocurrency. This campaign employs deceptive shortcut files and concealed folders to trick users into unknowingly executing malicious scripts.
Infection Mechanism:
The malware conceals itself within a folder named sysvolume on the infected USB drives, presenting only a shortcut file labeled USB Drive.lnk to the user. When this shortcut is clicked, it initiates a series of malicious operations while simultaneously opening a folder containing the user’s original files, thereby maintaining the illusion of normalcy and making detection challenging.
Security researchers at AhnLab Security Intelligence Center (ASEC) have identified this malware strain during their ongoing analysis of USB-based threats. The attackers have refined their techniques since earlier versions documented in February 2025, with Mandiant categorizing these threats as DIRTYBULK and CUTFAIL in their July 2025 report.
Technical Details:
The infection process begins when the user executes the deceptive shortcut file, which runs a VBS script with a randomly generated filename, such as u566387.vbs. This script then triggers a BAT file that performs several critical operations, including:
– Adding Windows Defender exclusion paths to evade detection.
– Creating a folder with a space in its name at C:\Windows \System32\ to further avoid detection.
The BAT script copies and renames the dropper malware as printui.dll and loads it through the legitimate printui.exe program.
Persistence and Evasion Tactics:
The dropper component establishes persistence by registering a DLL with the DcomLaunch service. Once registered, the malware, designated as PrintMiner, adjusts system power settings to prevent sleep mode and communicates with command-and-control servers to download encrypted payloads. The decrypted files include XMRig, a popular cryptocurrency mining tool, configured to mine Monero using the following parameters:
“`
-o r2.hashpoolpx[.]net:443 –tls –max-cpu-usage=50
“`
The malware monitors running processes and terminates XMRig when users launch games or process monitoring tools like Process Explorer, Task Manager, and System Informer. This evasion technique helps the miner avoid detection while reducing performance impacts that might alert users.
Broader Context:
USB-based attacks remain effective when combined with social engineering tactics. This campaign underscores the importance of user vigilance and the need for robust cybersecurity measures to prevent such infections.
