Complete News World

Schwachstelle in Microsoft OneDrive

Active cryptojacking via a sideload vulnerability in Microsoft OneDrive

Cryptojacking is a growing risk: hackers use the resources of infected computers or mobile devices to use their resources for their encryption. In May and June 2022, Bitdefender discovered a global attack campaign in which cybercriminals exploited known vulnerabilities to load DLL files in Microsoft OneDrive Exploit it to install encryption malware on victims’ systems.

  • In principle, they can download any malware via the vulnerability – including malware.
  • It attacked 700 instances of Microsoft OneDrive detected by Bitdefender in May and June 2022.
  • Germany is among the most affected countries worldwide
  • Microsoft does not interpret DLL sideloading as a vulnerability.
  • The known sideload vulnerability is also suitable for ransomware attacks or for spyware infection.

The Windows operating system and other applications are built on DLL files that provide or extend functionality. Once an application needs a function in a particular DLL, it searches for it in the predetermined order, first in the directory the application was loaded from, then in the system directory, in the 16-bit system directory, in the Windows directory, in the directory currently in use and recently in the listed directories in the path environment variable. If the full path of the required DLL files is not specified, the application will try to find the file on the given paths. If hackers implement a malicious DLL on the search path, it will silently load and run the application in place of the application that actually needs it.

Image 1: OneDrive campaign global distribution: campaign mainly in the US, India, France, Romania, Italy and Germany. (Source: Bitdefender)

Download malicious DLLs via OneDrive.exe or OneDriveStandaloneUpdater.exe

In the attack analyzed by Bitdefender, the attackers write a fake secure32.dll file to the %appdata%\Local\Microsoft\OneDrive path without special privileges. OneDrive processes OneDrive.exe or OneDriveStandaloneUpdater.exe and then loads them.

See also  Diablo 4: All-new chapters teased

Since %appdata%\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe is scheduled to run daily, the fake DLL files are now still present in the victim’s system.

In addition, the attackers install the fake DLL into the system via %appdata%\Local\Microsoft\OneDrive\OneDrive.exe. You can configure OneDrive.exe to start with every reboot using the Windows registry.

After the fake secure32.dll file is loaded via those OneDrive processes, it reloads the encryption program and infects it in legitimate Windows processes.

In the same way, attackers may also install ransomware or spyware on the systems.

In the crypto campaign, hackers deployed algorithms to mine four cryptocurrencies: Etchasch in particular, as well as ethash, ton and xmr. On average, cybercriminals make a profit of $13 per infected computer. Victims notice losses in the performance of the systems.

Campaign schedule
Figure 2: During the campaign in May and June, the attackers reinterpreted the attack several times. (Source: Bitdefender)

Microsoft: Install OneDrive “per device”.

Users can Microsoft OneDrive Install either “per user” or “per device”. The default setting is “per user” installation. In this configuration, users without special privileges can write to the folder where OneDrive is located. Hackers can drop malware here, modify executable files, or completely overwrite them. Therefore, Microsoft recommends that you install OneDrive “per device”. You can find instructions on how to do this over here.

NL code 1

More precautions are needed

However, “per device” installation is not appropriate for every environment or every privilege level. So Bitdefender warns OneDrive users to be very careful. Both antivirus protection and the operating system used should always be up to date. Be careful when downloading cracked software or game cheats.

See also  Try the Polestar 2 out on the water this summer

More information:

full study over here Available.