Threat actors are exploiting OneDrive.exe through DLL sideloading to inject and execute malicious code, leveraging the trusted Microsoft application for stealthy persistence.
This technique targets the legitimate version.dll dependency, allowing attackers to maintain system access while evading traditional defenses.
Understanding DLL Sideloading
DLL sideloading occurs when attackers place a malicious dynamic link library in a directory that Windows searches before the system’s legitimate paths, tricking applications into loading the rogue file.
For OneDrive.exe, a common Microsoft tool for cloud synchronization, the focus is on version.dll, which handles file version queries.
By dropping a custom version.dll alongside OneDrive.exe, hackers hijack this process, running arbitrary code under the guise of a signed executable.
This method thrives on Windows’ loader behavior, prioritizing the application’s local folder. Once loaded, the malicious DLL can perform reconnaissance, data exfiltration, or further infections without alerting endpoint security tools that whitelist OneDrive.
Security researchers highlight how this sideloading evades signature-based detection, as the code executes in a high-trust context .
Proxying For Stealthy Execution
To avoid crashing the host application, attackers employ DLL proxying, where the malicious version.dll mimics the original’s exports.
Using compiler directives like #pragma comment(linker, “/export:…”), the proxy forwards legitimate calls to the real version.dll in C:\Windows\System32, ensuring OneDrive functions normally.
This dual-layer approach malicious logic alongside benign operations keeps the attack hidden.
In practice, upon DLL_PROCESS_ATTACH, the proxy disables unnecessary thread calls for efficiency, installs hooks, and spawns a payload thread.
This setup allows hackers to monitor or alter OneDrive’s behavior, such as suppressing error dialogs or logging user activities, all while the app appears operational .
Advanced Hooking With VEH
The technique escalates with Vectored Exception Handling (VEH) and PAGE_GUARD for API hooking, bypassing inline modifications that trigger antivirus alerts.
Attackers register a VEH handler via AddVectoredExceptionHandler, targeting functions like CreateWindowExW from user32.dll.
VirtualProtect adds PAGE_GUARD to the function’s memory page, triggering a STATUS_GUARD_PAGE_VIOLATION exception on execution.
The handler intercepts this, redirects the instruction pointer to a hooked version perhaps making windows invisible and re-arms the guard using single-step flags for subsequent calls.
This hardware breakpoint emulation is stealthier than traditional hooks, complicating behavioral analysis by tools like EDR solutions .
Payload Delivery and Impact
The payload, executed in a delayed thread, uses CreateProcessW to launch hidden processes, such as command shells spawning Notepad for testing, but in real attacks, this could deploy ransomware or backdoors.
Error handling logs to innocuous files like C:\Users\Public\log.txt, aiding persistence without visibility.
Such abuses of OneDrive.exe underscore risks in legitimate software dependencies, urging organizations to monitor DLL loads via tools like Sysmon and enforce path restrictions.
As attackers refine these tactics, proactive patching and behavioral monitoring remain essential defenses.
