New cryptojacking campaign exploits OneDrive vulnerability

While currently the campaign is only involved in cryptojacking, it exploits DLL sideloading, which can be used to deploy spyware or ransomware.

cryptojacking / cryptocurrency attack
Stevanovicigor / Getty Images

Cryptojacking is turning into a security nightmare for consumers and enterprises alike. Malicious actors have used a variety of techniques to install cryptojackers on victims' computers and in a new development, cybersecurity software maker Bitdefender has detected a cryptojacking campaign that uses a Microsoft OneDrive vulnerability to gain persistence and run undetected on infected devices.

Between May 1 and July 1, Bitdefender detected about 700 users who were affected by the campaign. The campaign uses four cryptocurrency mining algorithms—Ethash, Etchash, Ton and XMR— making an average of $13 worth of cryptocurrency per infected computer, Bitdefender reported this week.

Cryptojacking campaign exploits OneDrive sideloading vulnerability

Cryptojacking is the unauthorized use of computing infrastructure to mine cryptocurrency. The attackers in the latest cryptojacking campaign described by Bitdefender were found to be using a known DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. Once loaded into one of the OneDrive processes, the fake secur32.dll downloads open source cryptocurrency mining software and injects it into legitimate Windows processes.

Sideloading is essentially the installation of code that has not been approved to run on a device by the developer of the machine's operating system. DLL files are a collection of small programs containing instructions that can help a larger program complete non-core tasks of the original program. 

While the Onedrive sideloading campaign is only involved in cryptojacking, DLL side-loading can also be used for deploying spyware or ransomware. Moreover, since cryptocurrency mining is resource-intensive, victims can immediately notice degraded CPU and GPU performance, overheating and increased energy consumption, which can wear out expensive hardware.  

By default, OneDrive is scheduled to reboot every day, and the attackers behind the new cryptojacking campaign were found to have set the OneDrive.exe process to run after a reboot, even if the user disables it. Using this method, the attackers gain persistence. In 95.5% of the detections, the scheduled reboot was found to be loading the malicious secur32.dll, Bitdefender noted.  

OneDrive can be installed either on a per-user or per-machine basis. In the default per-user installation, the folder where OneDrive is located is writeable by non-elevated users and a malicious DLL could be dropped there, or executable files can be modified or completely overwritten, the report said.

“OneDrive was specifically chosen in this attack because it permits the actor to achieve easy persistence,” Bitdefender noted in its report.

Microsoft recommends its customers choose the per-machine install option in the program files. Since per-machine installation may not always be appropriate in certain contexts, Bitdefender recommends that users ensure their antivirus and operating systems are up to date, avoid cracked software and game cheats, and download software from trusted locations only.  

Instances of cryptojacking are on the rise

Cryptojacking cases rose by 30% to 66.7 million in the first half of 2022, up 30% over the first half of 2021, according to the 2022 SonicWall Cyber Threat Report. The financial sector witnessed a 269% increase in cryptojacking attacks, according to the report. 

The increased instances of cryptojacking activity can be attributed to the low risk and high reward for the threat actors. It has also become lucrative for cybercriminals as the prices of some cryptocurrencies have soared over the past few years. 

The rise of cryptojacking can also be attributed to the crackdown on ransomware attacks. In a ransomware attack, the attacker needs to communicate with the victim to demand a ransom. However, with cryptojacking the attacker is discrete, and the victim often is not even aware of the attack.  

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)