Cryptojacking has become a lucrative enterprise for cybercriminals, as cryptocurrency prices soared. However, as is the case with every threat, the threat of cryptojacking has evolved too. In a new campaign, they are abusing a flaw in OneDrive to evade detection.

Diving into details

  • From May 1 to July 1, Bitdefender observed 700 instances of the campaign using DLL sideloading vulnerabilities.
  • It uses four cryptocurrency mining algorithms - XMR, Ethash, Ton, and Etchash. 
  • The actors make $13 worth of cryptocurrency for every infected system.

Evading detection

The threat actors actively exploit Microsoft OneDrive where the main implant masquerades as a OneDrive library.
  • OneDrive updater is initiated by a scheduled task every 24 hours, enabling threat actors to establish persistence. 
  • While DLL sideloading is a technique employed in the attack, the attackers used other methods too. These include not storing Windows API names in dropper and malicious library memory and storing the hash of the API name in the malicious executable. 

Some cryptojacking stats

  • H1 2022 witnessed a 30% surge in cryptojacking instances at 66.7 million.
  • Cryptojacking attacks against the financial sector saw a whopping 269% rise, while attacks against the retail sector increased by 63%.
  • Nevertheless, cryptojacking volumes dropped 96%, 87%, and 78% for the education, healthcare, and government sectors, respectively. 

Latest DLL hijacking threats

  • Palo Alto researchers found APT gangs, including Lazarus and Mustang Panda, using unsigned DLL loading to evade detection.
  • Chinese threat actors keep using ShadowPad and PlugX, often leveraging DLL sideloading to deliver and execute malware. 

The bottom line

The rising volume of cryptojacking attacks can be attributed to the low risk and high reward for cybercriminals. Furthermore, a cryptojacking attack is far more discrete as compared to a ransomware attack, and victims are often unaware of the attack. In addition to this, combining the aspect of abusing OneDrive, it is easier for attackers to establish persistence. Hence, ensure your OS is up-to-date and avoid installing cracked or pirated software.
Cyware Publisher