0day DLL hijacking on OneDrive

Η BitDefender Security he published information about a sideloading vulnerability in a OneDrive DLL that is currently being exploited, allowing cryptocurrency mining on vulnerable machines.

blue onedrive

DLL hijacking is a common occurrence in Windows. Windows uses a precedence system to determine from which location a DLL file is loaded if a full path is not specified by an application. DLL hijacking attacks abuse this system to install malware to some higher priority location. So the program will load the malicious DLL instead of the normal DLL file.

In the case of OneDrive, attackers use this idea by placing a malicious DLL file in the user's folder on the system. Specifically, a fake secure32.dll file is written to %LocalAppData%\Microsoft\OneDrive. This malicious dynamic link library is then loaded by two OneDrive processes: OneDrive.exe and OneDriveStandaloneUpdater.exe.

When the malicious DLL is loaded for the first time, it starts downloading mining cryptocurrency on the infected system.

“Once loaded into one of the OneDrive processes, the fake secure32.dll downloads open source cryptocurrency mining software and runs it in legitimate Windows processes.”cryptojacker infections

BitDefender reports that while the attack is currently limited to cryptocurrency mining, although attackers have options to carry out other malicious attacks, with or spyware.

The security company recommends that OneDrive be installed “per ” and not “per user” on Windows computers to avoid the vulnerability.
Those who want to see if you are infected open the path %LocalAppData%\Microsoft\OneDrive\ to and look for the file in the OneDrive directory.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
0day,onedrive,DLL hijacking,iguru

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).