Hackers Exploit OneDrive.exe Through DLL Sideloading to Execute Arbitrary Code

A sophisticated attack technique that exploits Microsoft’s OneDrive application through DLL sideloading, allowing threat actors to execute malicious code while evading detection mechanisms.

The attack leverages a weaponized version.dll file to hijack legitimate Windows processes and maintain persistence on compromised systems.

DLL sideloading exploits Windows’ library-loading mechanism by tricking legitimate applications into loading malicious Dynamic Link Libraries instead of authentic ones.

Understanding the DLL Sideloading Attack

According to Kas-sec security advisory, the attackers place a crafted version.dll file in the same directory as OneDrive.exe, taking advantage of the application’s dependency search order.

When OneDrive.exe launches, it automatically loads the malicious DLL from its local directory before searching system directories.

The technique targets version.dll specifically because many Windows applications, including OneDrive, rely on this library to retrieve file version information.

By positioning the malicious DLL strategically, attackers can execute code under the trusted context of a digitally signed Microsoft application, effectively bypassing security controls that monitor suspicious processes. To maintain stealth and prevent application crashes, attackers implement DLL proxying techniques.

The malicious version.dll exports the same functions as the legitimate library, forwarding legitimate function calls to the original Windows System32 version.dll while executing malicious operations in the background.

This dual functionality ensures OneDrive.exe continues operating normally, reducing the likelihood of detection by users or security software.

The attack employs an advanced hooking technique that leverages Vectored Exception Handling and the PAGE_GUARD memory protection flag, reads the advisory.

Instead of traditional inline hooking methods that security tools easily detect, this approach intentionally triggers memory exceptions to intercept API calls.

When OneDrive.exe attempts to call specific functions like CreateWindowExW, the malicious code captures the execution flow through exception handlers and redirects it to attacker-controlled functions.

This method proves particularly effective because it avoids persistent code modifications that signature-based detection systems typically identify.

The hook re-arms itself after each interception using single-step exceptions, maintaining continuous control over targeted API functions.

Once loaded, the malicious DLL spawns a separate thread to execute arbitrary payloads without blocking the application’s initialization process.

The proof-of-concept launches additional processes while hiding their windows from view, enabling covert operations on compromised systems.

Security professionals must implement application whitelisting, monitor DLL loading behaviors, and validate digital signatures of loaded libraries to defend against these sophisticated sideloading attacks targeting trusted applications.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.