CoinMiner Malware Distributed via USB
Overview
AhnLab SEcurity intelligence Center (ASEC) has recently identified a case in which cryptocurrency-mining malware was being distributed via USB in South Korea. Lately, malware that mines cryptocurrencies by utilizing PC resources without user consent has been actively distributed as cryptocurrency prices surge. While cryptocurrency mining itself is not illegal, the act of installing cryptocurrency mining programs that degrade system performance without user permission can be considered illegal. In the identified attack case, Monero-mining malware distributed via USB was found. The threat actor manipulated the victim’s system settings to add an exception to Windows Defender, disable Hypervisor Protected Code Integrity (HVCI), and change system power management. These actions were taken to optimize PC performance for mining and evade security solution detection. The attack also involved features such as C&C communication using a PostgreSQL database and executing the malware via DLL sideloading to bypass detection. In particular, the infection spread rapidly through the automatic propagation feature using USB. The threat actor exploited the CPU and GPU resources of infected systems without permission and generated over 1 million won in profit per day as of February 6, 2025. (https://xmr.nanopool.org/account/8B9w28VLcpJhvGywhcqocd1uzH7QPpNw6izkWwBtgkqscwV4joMAAGPJ2xDM6k27bvH1WWkNa254eG3xAjFaWxaAFiXjZLg)
Figure 1. Status of profits made by threat actors through cryptocurrency-mining malware
Analysis
The overall attack flow is shown in Figure 2 below.
1) Malware executed through shortcut file → 2) Downloader registers and executes service → 3) System settings are changed → 4) C&C communication is performed using PostgreSQL DB → 5) CoinMiner is downloaded and executed → 6) USB propagation
Figure 2. Operation flow of cryptocurrency-mining malware propagated via USB
Conclusion
The cryptocurrency mining malware identified in this case demonstrated characteristics that maximized infection persistence through propagation via USB, system settings modification, and security bypass techniques. In particular, the malware actively employed techniques such as C&C communication using the PostgreSQL database, execution bypass using the DLL Sideloading technique, detection evasion through Windows Defender exception settings, and disabling of hibernation to optimize mining performance, successfully evading detection by security solutions.
Additionally, the malware has spread to a large number of unspecified victims through USB propagation and utilizes the CPU and GPU resources of infected systems without authorization to generate continuous profits for the threat actor. Users must keep their security programs such as anti-malware solutions up-to-date to prevent such attacks.
This report from AhnLab TIP provides an analysis of the entire attack behavior flow described in Figure 2, as well as the remote database address and account credentials set up by the threat actor and detailed data information exchanged with the PostgreSQL DB server.
