Bitdefender experts warn of a cryptojacking campaign via a DLL sideloading vulnerability in Microsoft OneDrive. Bitdefender has already detected 700 attacked Microsoft OneDrive instances in May and June 2022. Germany is one of the hardest hit.
Cryptojacking is a growing danger: hackers use the resources of infected PCs or mobile devices to use their resources for their own cryptomining. In May and June 2022, Bitdefender detected a global attack campaign in which cyber criminals exploit known DLL sideloading vulnerabilities in Microsoft OneDrive to install cryptomining malware on victims’ systems. In principle, they could download any malware via the vulnerability – including malware.
Cryptomining malware via vulnerability
The Windows operating system and other applications are built on the DLL files that provide or extend functionalities. As soon as an application needs a functionality in a specific DLL, it looks for it in the predefined order, first in the directory from which the application was loaded, then in the system directory, in the 16-bit system directory, in the Windows Directory, in the currently used directory and most recently in the directories listed in the Path environment variable. If the full path of the required DLL files is not specified, the application tries to find the file on the paths described. If hackers have implemented a malicious DLL on the search path, it will silently load and run instead of the application it actually needs.
Download malicious DLLs via OneDrive.exe
In the attack analyzed by Bitdefender, the attackers write a fake secure32.dll to the %appdata%\Local\Microsoft\OneDrive\ path without special privileges. The OneDrive processes OneDrive.exe or OneDriveStandaloneUpdater.exe then load them. Because %appdata%\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe is scheduled to run every day, the fake DLL files are now persistent on the victim’s system.
Additionally, the attackers anchor the fake DLL in the system via %appdata%\Local\Microsoft\OneDrive\OneDrive.exe. You configure that the OneDrive.exe starts with every reboot using the Windows registry. After loading the fake secure32.dll via these OneDrive processes, it reloads the cryptomining software and infects it into legitimate Windows processes. In the same way, the attackers might as well install ransomware or spyware on the systems.
In the cryptomining campaign, the hackers spread algorithms for mining four cryptocurrencies: Etchasch in particular, as well as ethash, ton and xmr. On average, cybercriminals make a profit of $13 per infected computer. The victims notice losses in the performance of the systems.
Microsoft: Install OneDrive “per machine”.
Users can install Microsoft OneDrive either “per user” or “per machine”. The default is the installation “per user”. In this configuration, users without special privileges can write to the folder in which OneDrive is located. Hackers can drop malicious malware here, modify executable files, or completely overwrite them. Microsoft therefore recommends using the OneDrive “per machine” to install and provides instructions.
Further precautions needed
However, the “per machine” installation is not suitable for every environment or for every privilege level. Bitdefender therefore warns OneDrive users to be very careful. Both the virus protection and the operating system used must always be updated.
About Bitdefender
Bitdefender is a global leader in cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since its founding in 2001, the company’s innovations have regularly provided excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of the world’s deployed security solutions and is trusted and recognized by industry professionals, manufacturers and customers alike. www.bitdefender.de