Security services provider BitDefender
published information about a DLL sideloading vulnerability of OneDrive that is exploited in the wild. According to the information, malicious actors exploit the vulnerability to mine cryptocurrency on successfully exploited machines.
DLL hijacking is a common occurrence on Windows. Windows uses a priority system to determine from which location a DLL file is loaded, when a full path is not specified by an application. DLL hijacking attacks abuse that system to plant malicious files at a location with a higher priority. The program will then load the malicious DLL instead of the legitimate DLL file.
In the case of the OneDrive malicious campaign, the attackers make use of that concept to plant a malicious DLL file into the user folder on the system. Specifically, a fake secure32.dll DLL file is written to %LocalAppData%\Microsoft\OneDrive\ in a non-elevated process. This malicious dynamic link library is then loaded by the two OneDrive processes OneDrive.exe and OneDriveStandaloneUpdater.exe.
The OneDrive updater process is scheduled to run once per day already, which ensures that the malware is loaded at least once per day on the system, provided that it is not detected by antivirus software. The malicious actors are adding OneDrive.exe to the startup of the operating system as well to "make persistence even more robust".
