From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations

Description

Tangerine Turkey is a cryptomining campaign that uses VBScript worms to spread via USB drives, leveraging living-off-the-land binaries for execution and persistence. The group employs defense evasion techniques by modifying registry keys and masquerading malicious binaries as legitimate system files. Their primary goal is financial gain through unauthorized cryptocurrency mining. The malware creates a mock directory to hide its activity, establishes persistence through malicious services and scheduled tasks, and attempts to disable Windows Defender. While currently focused on cryptomining, the actor's ability to achieve persistence and move laterally poses broader security risks.