Cryptojacking Campaign Performs OneDrive Sideloading

Diving into details

• From May 1 to July 1, Bitdefender observed 700 instances of the campaign using DLL sideloading vulnerabilities.
• It uses four cryptocurrency mining algorithms - XMR, Ethash, Ton, and Etchash. 
• The actors make $13 worth of cryptocurrency for every infected system.

Evading detection

• OneDrive updater is initiated by a scheduled task every 24 hours, enabling threat actors to establish persistence. 
• While DLL sideloading is a technique employed in the attack, the attackers used other methods too. These include not storing Windows API names in dropper and malicious library memory and storing the hash of the API name in the malicious executable. 

Some cryptojacking stats

• H1 2022 witnessed a 30% surge in cryptojacking instances at 66.7 million.
• Cryptojacking attacks against the financial sector saw a whopping 269% rise, while attacks against the retail sector increased by 63%.
• Nevertheless, cryptojacking volumes dropped 96%, 87%, and 78% for the education, healthcare, and government sectors, respectively. 

Latest DLL hijacking threats

• Palo Alto researchers found APT gangs, including Lazarus and Mustang Panda, using unsigned DLL loading to evade detection.
• Chinese threat actors keep using ShadowPad and PlugX, often leveraging DLL sideloading to deliver and execute malware. 

The bottom line