Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild
Cryptojackers have become very lucrative for cybercriminals in recent years as the price of cryptocurrency soared. From data breaches to PUAs to warez downloads, coin miners and cryptojackers crop up steadily in our threat landscape reports.
However, to meet their financial expectations, cybercriminals are taking new approaches to planting and loading cryptojackers on victims’ computers. This is the case of an active cryptojacking campaign that uses a Dynamic Library Link (DLL) hijacking vulnerability in OneDrive to achieve persistence and run undetected on infected devices.
In this paper we describe a cryptojacking campaign in which the attackers exploit known DLL Side-Loading vulnerabilities in Microsoft OneDrive.
- Bitdefender identified and documented a cryptojacking campaign exploiting known DLL sideloading vulnerabilities in Microsoft OneDrive.
- Between May 1 to July 1, 2022 we detected over 700 instances of the cryptojacker using the DLL sideloading vulnerabilities.
Bitdefender recommends OneDrive users to ensure their security solution and operating systems are up-to-date; avoid cracked software and only download applications from trusted sources. Businesses should go further by tuning security solutions to monitor for DLL sideloading and applying IOCs to prevention and endpoint detection and response (EDR) solutions.
An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known Indicators of Compromise can be found in the whitepaper below.
A Red Team Perspective on the Device42 Asset Management Appliance
August 10, 2022
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
November 08, 2021
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware
September 16, 2021