• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Cybercrime

Microsoft OneDrive Exploited for cryptojacking operation

Cryptojacking is only profitable in the world where mining itself is a profitable business.

Gwendal SmithbyGwendal Smith
October 14, 2022
in Cyber Attacks, Cybercrime, News, Vulnerability & Weakness
0
Malicious mining of crypto-currencies is only profitable in the world where mining itself is a profitable business.

Cryptojacking is a form of cybercrime in which cybercriminals exploit any kind of connected devives (computers, smartphones, tablets, IOT or servers) to mine for cryptocurrency without the victim’s knowledge. Cryptojacking is motivated by profit like many forms of cybercrime, but unlike other dangers, it is covertly executed. With the interest rise in crypto currency, cryptojacking is becoming a nightmare for individuals like corporation. In a recent report, the cybersecurity company Bitdefender exposed a a new cryptojacking campaign that take advantage of Microsoft OneDrive to gain in persistence and stealth.

The OneDrive Sideloading Vulnerability

DLL files are small programs containing instructions that can help a larger program perform non-essential tasks of the original program. In the case of this latest offensive described by Bitdefender, the attackers used a known DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. Once loaded into one of the OneDrive processes, the fake secur32.dll downloads open source mining software and injects it into legitimate Windows processes. Sideloading is essentially installing code that has not been approved for execution on a device by the machine’s operating system developer.

OneDrive can be installed on a per-user or per-machine basis. In the default per-user installation, the folder where OneDrive is located is writable by unauthorized users and it is possible to drop a malicious DLL into it, or to modify or completely overwrite executable files. According to Bitdefender, OneDrive was specifically chosen in this attack because it allows the actor to obtain easy persistence.

Microsoft recommends that customers choose the per-machine installation option in the program files. Since per-machine installation is not always appropriate in some contexts, Bitdefender recommends that users make sure their antivirus and operating system are up to date, avoid pirated software and game cheats, and only download software from trusted locations.

Sideloading and Cybercrime

While it appears that the Onedrive sideloading campaign is only involved in cryptojacking, DLL sideloading can also be used to deploy spyware or ransomware. Moreover, since crypto-currency mining is resource-intensive, victims may immediately experience degraded CPU and GPU performance, overheating and increased power consumption, which can lead to premature wear and tear on expensive hardware. By default, OneDrive is scheduled to restart every day, yet the attackers configured the OneDrive.exe process to run after a restart, even if the user disables it. With this method, the attackers gain persistence. “In 95.5 percent of detections, the scheduled tasks restart loads the malicious secur32.dll file,” Bitdefender notes.

Malicious mining of crypto-currencies is only profitable in the world where mining itself is a profitable business. The alternative currency Ethereum has already changed from a proof-of-work approach (which uses a lot of energy and requires mining) to a proof-of-stake approach (mining is no longer required). Bitcoin, the most popular crypto-currency, is still based on a proof-of-work approach, involving mining.

Cybercrime follows the money

The current state of crypto-currencies is holding back cryptojacking attacks, as many have fallen by 70 percent or more from historical highs a year ago. Ransomware payouts are generally unaffected by the historic drop in crypto-currencies, because the amount of the ransom is expressed with fiat currency. The profitability of cryptojacking, on the other hand, is directly related to the profitability of the mining industry as a whole, and the price of mining platforms has fallen by 70% this year. The trend can be explained by the drop in the value of crypto-currency, but also by the cost of burning electricity – a parameter that is unimportant for cybercriminals, but can further harm victims.

Tags: BlockchainCryptocurrencyCryptojackingDLL Sideloadingransomware

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Why Lockbit does fake cyberattacks ?

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}