The report details a USB-driven infection campaign that leverages malicious shortcut files to deliver a multi-stage malware chain for cryptocurrency mining. Initial execution side-loads a DLL named printui.dll from a fake System32 directory, then hands off to a dropper (CUTFAIL), further deploying a downloader (HIGHREPS) and a backdoor (PUMPBENCH). The PUMPBENCH backdoor communicates with a PostgreSQL server to fetch additional payloads and ultimately launches XMRig miners. The operation maintains persistence through Windows Defender exclusions, scheduled tasks, and rogue services.
Mandiant researchers deconstructed the kill chain and highlighted four core malware families: DIRTYBULK, CUTFAIL, HIGHREPS, and PUMPBENCH. They captured the actors’ file naming patterns, the DLL side-loading abuse of printui.dll, registry changes, and associated network indicators. The analysis also charted persistence techniques, including scheduled tasks and services linked to the DCOMLaunch Service Group.
Recommended defenses include blocking execution of shortcut files originating from removable media, monitoring for commands that add Windows Defender exclusions, detecting suspicious printui.dll side-loading activity, and hunting for services or scheduled tasks that use random six-digit names. Applying network controls against known malicious domains and DoH resolvers can further limit command-and-control channels.
Once detected, isolate the impacted host, remove the malicious DLL and related components, delete the offensive scheduled task and service entries, and restore Windows Defender settings by clearing exclusions. Perform comprehensive forensic scanning to uncover residual payloads and track connections to the identified PostgreSQL C2 infrastructure. Finally, update detection content to cover the observed command-line usage and file creation behaviors.
