Threat actors are exploiting OneDrive.exe through DLL sideloading to inject and execute malicious code, leveraging the trusted Microsoft application for stealthy persistence.
This technique targets the legitimate version.dll dependency, allowing attackers to maintain system access while evading traditional defenses.
DLL sideloading occurs when attackers place a malicious dynamic link library in a directory that Windows searches before the system’s legitimate paths, tricking applications into loading the rogue file.
For OneDrive.exe, a common Microsoft tool for cloud synchronization, the focus is on version.dll, which handles file version queries.
By dropping a custom version.dll alongside OneDrive.exe, hackers hijack this process, running arbitrary code under the guise of a signed executable.
This method thrives on Windows’ loader behavior, prioritizing the application’s local folder. Once loaded, the malicious DLL can perform reconnaissance, data exfiltration, or further infections without alerting endpoint security tools that whitelist OneDrive.
Security researchers highlight how this sideloading evades signature-based detection, as the code executes in a high-trust context .
To avoid crashing the host application, attackers employ DLL proxying, where the malicious version.dll mimics the original’s exports.
Using compiler directives like #pragma comment(linker, “/export:…”), the proxy forwards legitimate calls to the real version.dll in C:\Windows\System32, ensuring OneDrive functions normally.
This dual-layer approach malicious logic alongside benign operations keeps the attack hidden.
In practice, upon DLL_PROCESS_ATTACH, the proxy disables unnecessary thread calls for efficiency, installs hooks, and spawns a payload thread.
This setup allows hackers to monitor or alter OneDrive’s behavior, such as suppressing error dialogs or logging user activities, all while the app appears operational .
The technique escalates with Vectored Exception Handling (VEH) and PAGE_GUARD for API hooking, bypassing inline modifications that trigger antivirus alerts.
Attackers register a VEH handler via AddVectoredExceptionHandler, targeting functions like CreateWindowExW from user32.dll.
VirtualProtect adds PAGE_GUARD to the function’s memory page, triggering a STATUS_GUARD_PAGE_VIOLATION exception on execution.
The handler intercepts this, redirects the instruction pointer to a hooked version perhaps making windows invisible and re-arms the guard using single-step flags for subsequent calls.
This hardware breakpoint emulation is stealthier than traditional hooks, complicating behavioral analysis by tools like EDR solutions .
The payload, executed in a delayed thread, uses CreateProcessW to launch hidden processes, such as command shells spawning Notepad for testing, but in real attacks, this could deploy ransomware or backdoors.
Error handling logs to innocuous files like C:\Users\Public\log.txt, aiding persistence without visibility.
Such abuses of OneDrive.exe underscore risks in legitimate software dependencies, urging organizations to monitor DLL loads via tools like Sysmon and enforce path restrictions.
As attackers refine these tactics, proactive patching and behavioral monitoring remain essential defenses.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…