0day DLL hijacking on OneDrive

The security company BitDefender he published information about a sideloading vulnerability in a OneDrive DLL that is currently being exploited, allowing cryptocurrency mining on vulnerable machines.

blue onedrive

DLL hijacking is a common occurrence in Windows. Windows uses a precedence system to determine from which location a DLL file is loaded if a full path is not specified by an application. DLL hijacking attacks abuse this system to install malicious files in a higher priority location. So the program will load the malicious DLL instead of the normal DLL file.

In the case of OneDrive, attackers use this idea by placing a malicious DLL file in the user's folder on the system. Specifically, a fake secure32.dll file is written to %LocalAppData%\Microsoft\OneDrive. This malicious dynamic link library is then loaded by two OneDrive processes: OneDrive.exe and OneDriveStandaloneUpdater.exe.

When the malicious DLL is loaded for the first time, it starts downloading cryptocurrency mining software onto the infected system.

“Once loaded into one of the OneDrive processes, the fake secure32.dll downloads open source cryptocurrency mining software and runs it in legitimate Windows processes.”cryptojacker infections

BitDefender reports that while the attack is currently limited to cryptocurrency mining, although attackers have options to carry out other malicious attacks, with ransomware or spyware.

The security firm recommends that OneDrive be installed “per machine” rather than “per user” on Windows computers to avoid the vulnerability.
Those who want to see if you are infected open the path %LocalAppData%\Microsoft\OneDrive\ in File Explorer and look for the file in the OneDrive directory.

iGuRu.gr The Best Technology Site in Greece
Follow us on Google News

0day,onedrive,DLL hijacking,iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).