Cryptojacking is a form of cybercrime in which cybercriminals exploit any kind of connected devives (computers, smartphones, tablets, IOT or servers) to mine for cryptocurrency without the victim’s knowledge. Cryptojacking is motivated by profit like many forms of cybercrime, but unlike other dangers, it is covertly executed. With the interest rise in crypto currency, cryptojacking is becoming a nightmare for individuals like corporation. In a recent report, the cybersecurity company Bitdefender exposed a a new cryptojacking campaign that take advantage of Microsoft OneDrive to gain in persistence and stealth.
The OneDrive Sideloading Vulnerability
DLL files are small programs containing instructions that can help a larger program perform non-essential tasks of the original program. In the case of this latest offensive described by Bitdefender, the attackers used a known DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. Once loaded into one of the OneDrive processes, the fake secur32.dll downloads open source mining software and injects it into legitimate Windows processes. Sideloading is essentially installing code that has not been approved for execution on a device by the machine’s operating system developer.
OneDrive can be installed on a per-user or per-machine basis. In the default per-user installation, the folder where OneDrive is located is writable by unauthorized users and it is possible to drop a malicious DLL into it, or to modify or completely overwrite executable files. According to Bitdefender, OneDrive was specifically chosen in this attack because it allows the actor to obtain easy persistence.
Microsoft recommends that customers choose the per-machine installation option in the program files. Since per-machine installation is not always appropriate in some contexts, Bitdefender recommends that users make sure their antivirus and operating system are up to date, avoid pirated software and game cheats, and only download software from trusted locations.
Sideloading and Cybercrime
While it appears that the Onedrive sideloading campaign is only involved in cryptojacking, DLL sideloading can also be used to deploy spyware or ransomware. Moreover, since crypto-currency mining is resource-intensive, victims may immediately experience degraded CPU and GPU performance, overheating and increased power consumption, which can lead to premature wear and tear on expensive hardware. By default, OneDrive is scheduled to restart every day, yet the attackers configured the OneDrive.exe process to run after a restart, even if the user disables it. With this method, the attackers gain persistence. “In 95.5 percent of detections, the scheduled tasks restart loads the malicious secur32.dll file,” Bitdefender notes.
Malicious mining of crypto-currencies is only profitable in the world where mining itself is a profitable business. The alternative currency Ethereum has already changed from a proof-of-work approach (which uses a lot of energy and requires mining) to a proof-of-stake approach (mining is no longer required). Bitcoin, the most popular crypto-currency, is still based on a proof-of-work approach, involving mining.
Cybercrime follows the money
The current state of crypto-currencies is holding back cryptojacking attacks, as many have fallen by 70 percent or more from historical highs a year ago. Ransomware payouts are generally unaffected by the historic drop in crypto-currencies, because the amount of the ransom is expressed with fiat currency. The profitability of cryptojacking, on the other hand, is directly related to the profitability of the mining industry as a whole, and the price of mining platforms has fallen by 70% this year. The trend can be explained by the drop in the value of crypto-currency, but also by the cost of burning electricity – a parameter that is unimportant for cybercriminals, but can further harm victims.