When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Beware: Your Microsoft OneDrive could be under the spell of a crypto miner

Neowin · with 12 comments

OneDrive logo with a danger skull sign on top

The recent Ethereum merge has brought generally bad news for most miners. As such, many were busy getting rid of their expensive GPU rigs right before it happened. Some of the others however devised other ways to get around the cost of buying expensive mining equipment. And the nefarious ones out there tend to employ crypto-jacking, where they secretly use a victim's computer or any other device to mine cryptocoins.

In the latest such development, anti-virus maker Bitdefender has discovered that Microsoft's OneDrive was being used a group of threat actors for cryptojacking purposes. The campaign has been using the dynamic link library (DLL) hijacking or side-loading vulnerability exploit in OneDrive to carry out the operations. Bitdefender observed the campaign between May and July 2022 and in this span, over 700 instances of the cryptojacking were detected where similar exploits were made.

According to the report, the attackers are relying on a maliciously written secure32.dll file to infect the systems of potential victims. It is placed inside %LocalAppData%\Microsoft\OneDrive\ so that it loads up alongside OneDrive's own processes. For persistence, the threat actors have set the OneDrive.exe process to run on every reboot. After the infection is achieved, the fake secure32 DLL file is used to download the mining software on to the victim's system.

Bitdefender explains:

The attackers write a fake secure32.dll to %LocalAppData%\Microsoft\OneDrive\ as non-elevated users that will be loaded by one of the OneDrive processes (OneDrive.exe or OneDriveStandaloneUpdater. exe).

Threat actors use one of OneDrive’s dll files to easily achieve persistence, because %LocalAppData%\ Microsoft\OneDrive\OneDriveStandaloneUpdater.exe is scheduled to run every day, by default.

To make persistence even more robust, the droppers of the fake secure32.dll also set%LocalAppData%\ Microsoft\OneDrive\OneDrive.exe to run at every reboot using the Windows Registry.

Once loaded into one of the OneDrive processes, the fake secur32.dll downloads open-source cryptocurrency mining software and injects it into legitimate Windows processes.

You can find more details about the campaign in the original report here.

Report a problem with article
A red malicious-looking version of the Android mascot
Next Article

New Android malware 'RatMilad' spies on victims, hides behind fake app

A broken Windows 11 logo indicating bugs
Previous Article

Windows 11 22H2 has issues with Remote Desktop, Microsoft investigating

Join the conversation!

Login or Sign Up to read and post a comment.

12 Comments - Add comment