A newly discovered OneDrive sideloading campaign by cryptojackers was spotted by researchers abusing a vulnerability on OneDrive that allows them to bypass security detections. A cybersecurity research firm monitored similar instances from May to July. The company observed roughly 700 cases of DLL sideloading campaigns that abuse known flaws.
The malicious campaign utilises four crypto-mining algorithms. These algorithms are the Ton, Etchash, Ethash, and XMR. These actors could make more than $10 worth of cryptocurrency funds for each successful infection.
OneDrive sideloading has been the go-to attack tactic for financially motivated actors.
Currently, numerous threat actors are actively exploiting the OneDrive sideloading campaign in which the primary implant impersonates a OneDrive library to have a more elusive attack. Moreover, a OneDrive updater is run by the threat actors via scheduled daily tasks. This task allows that threat actors to establish persistence on the infected system.
Other researchers also claimed that the attackers use the sideloading technique for different methods of infecting targets. One of the methods is not keeping Windows API names in the dropper and library memory and storing the hash of the API name in the malicious payload.
The recent tally has seen a surge of 30% in cryptojacking attacks in the first half of 2022. The attacks on financial institutions have also increased to nearly 300% this year. Fortunately, cryptojacking incidents in the healthcare, education, and government sectors have decreased.
The most recent cryptojacking incidents came from a couple of advanced persistent threat groups: Mustang Panda and Lazarus. Both groups have used unsigned DLL loading to bypass security detection.
The increasing number of cryptojacking-related campaigns can be caused by the minimal risk and profitable reward for threat actors since cryptocurrencies tend to be secretive in their transactions. The threat actors also favour the discretion of each transaction since it is less hassle for them than a ransomware campaign.
Lastly, the abuse of OneDrive has paved the way for hackers to establish persistence on a target, allowing them to plan their next move.
