A recent report from BitDefender revealed that Microsoft OneDrive is currently being used by a group of threat actor which aims to do cryptojacking.
These malicious actors used dynamic link library (DLL) hijacking or side-loading vulnerability exploits on OneDrive to carry out their malicious operations, according to BitDefender, this happened between May and July 2022, and in that time span, more than 700 cases crytojacking detected where similar exploitation was carried out.
Reporting from the BitDefender page, the attacker relied on the file secure32.dll which is rewritten to infect the system of potential victims, where the file will then be stored in %LocalAppData%MicrosoftOneDrive so it will start and load along with the OneDrive process itself.
Interestingly, these bad actors have set the OneDrive.exe process to run after Reboot, even if the user disables it, and once the infection process is reached, the DLL files secure32 fake will be used to download software miner to the system the victim is using.
“The attackers write a fake secure32.dll to %LocalAppData%MicrosoftOneDrive as non-elevated users that will be loaded by one of the OneDrive processes (OneDrive.exe or OneDriveStandaloneUpdater.exe).“Obviously BitDefender
“Once loaded into one of the OneDrive processes, the fake secur32.dll downloads open-source cryptocurrency mining software and injects it into legitimate Windows processes.” He continued
But for now, maybe the weakness in OneDrive has been fixed, so that with this problem users don’t need to worry anymore, one thing is for sure, just make sure that the OneDrive application on Windows 10 or Windows 11 is in the latest version to ensure that the vulnerability in it has been fixed.
Via : BitDefender