New cryptojacking campaign
Cryptojacking is becoming a nightmare for customers and enterprises, and threat actors have started using various techniques to deploy cryptojackers on victims' systems. As per recent developments, cybersecurity software developer Bitdefender found a crypto jacking campaign exploiting Microsoft OneDrive vulnerability to get access and run without getting caught on compromised devices.
BitDefender report says:
"OneDrive was specifically chosen in this attack because it permits the actor to achieve easy persistence. Adding OneDrive to startup is an action done by the dropper malware, but even if it did not do so, OneDriveStandaloneUpdater.exe is by default scheduled to execute each day. Of the detections we received, 95.5% came from OneDriveStandaloneUpdater.exe loading the malicious secur32.dll."
From May 1 to July 1, Bitdefender identified around 700 users impacted by the campaign. The campaign operates using four cryptocurrency mining algorithms- Ton, XMR, Ethash, and Etchash. It makes an average of $13 worth of cryptocurrency per compromised device.
Cryptojacking uses OneDrive sideloading bug
Cryptojacking is an unauthenticated exploit of computer manufacture for mining cryptocurrency. The threat actors in the recent cryptojacking campaign used a DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. After the file is loaded into the OneDrive process, the fake secur32.dll will download open-source cryptocurrency mining software and install it into genuine Windows processes.
Sideloading is basically installing a code that has not been approved for running on a system by the developer of the machine's operating system. DLL files are a combination of small programs having instructions that can assist a larger program finish non-core tasks of the original program.
The campaign also uses Spyware, Ransomware
Meanwhile, the OneDrive sideloading campaign is used only in cryptojacking, DLL side-loading is also used for the deployment of ransomware or spyware. Besides this, as cryptocurrency minutes are resource-sensitive, the victims can instantly see falling CPU and GPU performance, increased energy consumption, and overheating, these issues can ruin expensive hardware.
OneDrive, by default, is set to reboot on a daily basis, and the threat actors behind the latest cryptojacking campaign were found to run the OneDrive.exe process to run after a reboot, even if the user shuts it down. The attackers use this method to gain persistence. In 95% (estimated) of the findings, the scheduled reboot was found to deploy the infected secur32.dll.
"Given that the “per machine” installation method may not be suitable for all environments and privilege levels, user caution should be one of the strongest lines of defense against commodity malware. Bitdefender recommends that users ensure their AVs and operating systems are up to date, to avoid cracked software and game cheats, and to download software from trusted locations only"-Bitdefender report.