OneDrive DLL Sideloading vulnerability exploited in the wild
Security services provider BitDefender published information about a DLL sideloading vulnerability of OneDrive that is exploited in the wild. According to the information, malicious actors exploit the vulnerability to mine cryptocurrency on successfully exploited machines.
DLL hijacking is a common occurrence on Windows. Windows uses a priority system to determine from which location a DLL file is loaded, when a full path is not specified by an application. DLL hijacking attacks abuse that system to plant malicious files at a location with a higher priority. The program will then load the malicious DLL instead of the legitimate DLL file.
In the case of the OneDrive malicious campaign, the attackers make use of that concept to plant a malicious DLL file into the user folder on the system. Specifically, a fake secure32.dll DLL file is written to %LocalAppData%\Microsoft\OneDrive\ in a non-elevated process. This malicious dynamic link library is then loaded by the two OneDrive processes OneDrive.exe and OneDriveStandaloneUpdater.exe.
The OneDrive updater process is scheduled to run once per day already, which ensures that the malware is loaded at least once per day on the system, provided that it is not detected by antivirus software. The malicious actors are adding OneDrive.exe to the startup of the operating system as well to "make persistence even more robust".
When the fake DLL is loaded for the first time, it downloads cryptocurrency mining software to the infected PC system to run it.
"Once loaded into one of the OneDrive processes, the fake secur32.dll downloads open-source cryptocurrency mining software and injects it into legitimate Windows processes."
BitDefender notes that while the attack is limited to cryptocurrency mining currently, the attackers have options to switch to other malicious attacks, including ransomware or spyware deployments.
The security company recommends that OneDrive is installed "per machine" instead of "per user" on Windows machines to avoid the DLL hijacking vulnerability. Attackers do need to penetrate Windows PCs successfully in the first place to save the malicious DLL file in the OneDrive user directory. A reliable protection against malicious threats as well as the use of common sense should prevent the attack in the first place.
Windows users and administrators may check the OneDrive installation on Windows PCs to find out if the malicious DLL file has been planted on the system already. To do so, load %LocalAppData%\Microsoft\OneDrive\ in File Explorer and search for the file in the OneDrive directory.
The solution is to remove onedrive from your system and block connections to Microsoft. The majority of you here already have anyway so this is a non issue and only an embarrassment for the Microsoft and their gross incompetence.
A good way to deal with this is to use W10privacy, there is a specific tab to deal with OneDrive. Just go ahead and tick everything in that tab. Very few people need this rubbish let alone so tightly integrated into the system. If you need it just log into the website and drag your files there.
How unfortunate that Microsoft provides this wonderful opportunity straight out of the box on every single Windows computer on the planet.
Improve protection against DLL hijacking:
If this is helping to prevent this problem, I dont know.
Executing registry-patches by common PC-users is very dangerous.
If you have removed Onedrive (including leftovers), and you scan your PC with UltraAdwareKiller you will find a hidden Onedrive-startup, which starts every time you start your PC. UAK can remove that startup, however uncheck all other items in the different tabs or your PC/browsers get unusable (unfortunally there are a lot of items automatically checked to remove).
This is why I remove all of this unused junk from Windows. When a new profile is created, Microsoft includes the OneDrive client in the default profile. Thus, the bloated OneDrive client is present in every single new profile. One option to get rid of it is to give yourself full access to the setup files in %systemroot%SysWOW64 and delete them.
Storing your files on someone elses hardware is just plain stupid.