Mandiant Uncovers USB-Borne Malware Campaign Deploying Cryptocurrency Miners

Mandiant’s Managed Threat Defense team has released a detailed analysis of a rapidly spreading USB-based malware campaign that weaponizes removable drives to install coinminers, backdoors, and stealthy loaders. First observed in September 2024, the campaign highlights how attackers continue to exploit simple, low-cost infection vectors to bypass enterprise defenses.

The attack begins when a user opens a seemingly harmless shortcut file—such as USB Drive.lnk—which secretly triggers a Visual Basic script. This script launches a batch file that creates a deceptive directory (Windows<space>\System32) mimicking the legitimate Windows system folder.

From there, attackers exploit DLL side-loading to launch DIRTYBULK, a C++ malware that bypasses userland hooks and drops the second-stage malware CUTFAIL.

Mandiant explains:

“DIRTYBULK loads and maps CUTFAIL into printui.exe process space using Windows Native APIs instead of higher-level Win32 APIs… This technique not only enables malware to bypass hooks on standard Win32 API calls being monitored by security software, but it also provides stealth.”

Once deployed, CUTFAIL acts as the orchestrator of the infection. It installs additional components, drops configuration files, and disables Microsoft Defender scans by adding exclusions.

“CUTFAIL creates a PowerShell process to add a Windows Defender exclusion list… instructing Windows Defender to not scan the files and subfolders within its operating folder locations.”

The malware also sets persistence via the creation of rogue Windows services disguised within legitimate service groups like DcomLaunch.

The chain culminates with HIGHREPS, a downloader that ensures persistence through scheduled tasks, and PUMPBENCH, a backdoor written in C++ that communicates with PostgreSQL databases.

PUMPBENCH enables file execution, process enumeration, and reconnaissance while downloading XMRig miners to exploit host resources for cryptocurrency mining.

Mandiant observed PUMPBENCH retrieving miners configured to mine Monero, Zephyr, and other cryptocurrencies. These miners were set to throttle CPU usage, blending into normal system activity.

Perhaps the most dangerous element is the campaign’s ability to spread autonomously. PUMPBENCH scans for available drives, replicating itself by dropping shortcut, VBScript, and batch files into newly connected USB devices.

This ensures continuous propagation—turning every infected USB into a potential patient zero for the next compromise.

Mandiant emphasizes the importance of layered detection strategies to catch such multi-stage campaigns. They map several behaviors to MITRE ATT&CK techniques, including:

• T1204.002 (User Execution: Malicious File) – Shortcut-based execution.
• T1562.004 (Impair Defenses) – PowerShell exclusions.
• T1053.005 (Scheduled Task) – Persistence through scheduled tasks.
• T1543.003 (Windows Service) – Malicious service creation.

The report provides YARA-L 2 rules and Google SecOps hunting queries to identify suspicious USB activity, DLL side-loading, and PostgreSQL traffic from svchost.exe.

Related Posts:

• Stealthy Crypto-Mining Malware Hijacking PCs via USB Drives
• Warning: DLL Hijacking in Modern Malware Campaigns
• Security Expert Announces PoC to Crashes All Recent Windows
• The USB Threat Is Back: New Multi-Stage Cryptomining Attack Spreads via Infected Drives
• Android 16’s New Security Feature Could Slow Down Your Fast Charging