Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Cryptojackers have become very lucrative for cybercriminals in recent years as the price of cryptocurrency soared. From data breaches to PUAs to warez downloads, coin miners and cryptojackers crop up steadily in our threat landscape reports.
However, to meet their financial expectations, cybercriminals are taking new approaches to planting and loading cryptojackers on victims’ computers. This is the case of an active cryptojacking campaign that uses a Dynamic Library Link (DLL) hijacking vulnerability in OneDrive to achieve persistence and run undetected on infected devices.
In this paper we describe a cryptojacking campaign in which the attackers exploit known DLL Side-Loading vulnerabilities in Microsoft OneDrive.
Key findings
- Bitdefender identified and documented a cryptojacking campaign exploiting known DLL sideloading vulnerabilities in Microsoft OneDrive.
- Between May 1 to July 1, 2022 we detected over 700 instances of the cryptojacker using the DLL sideloading vulnerabilities.

Recommendations
Bitdefender recommends OneDrive users to ensure their security solution and operating systems are up-to-date; avoid cracked software and only download applications from trusted sources. Businesses should go further by tuning security solutions to monitor for DLL sideloading and applying IOCs to prevention and endpoint detection and response (EDR) solutions.
An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. The currently known Indicators of Compromise can be found in the whitepaper below.
tags
Author
Right now
Top posts
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
December 06, 2022
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild
October 05, 2022
A Red Team Perspective on the Device42 Asset Management Appliance
August 10, 2022
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021