Hackers Exploit OneDrive.exe Through DLL Sideloading to Execute Arbitrary Code
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A sophisticated attack technique that exploits Microsoft\u2019s OneDrive application through DLL sideloading<\/a>, allowing threat actors to execute malicious code while evading detection mechanisms.<\/p>\n The attack leverages a weaponized version.dll file to hijack legitimate Windows processes and maintain persistence on compromised systems.<\/p>\n DLL sideloading exploits Windows\u2019 library-loading mechanism by tricking legitimate applications into loading malicious Dynamic Link Libraries instead of authentic ones.<\/p>\n According to Kas-sec security advisory, the attackers place a crafted version.dll file in the same directory as OneDrive.exe, taking advantage of the application\u2019s dependency search order.<\/p>\n When OneDrive.exe launches, it automatically loads the malicious DLL from its local directory before searching system directories.<\/p>\n The technique targets version.dll specifically because many Windows applications, including OneDrive, rely on this library to retrieve file version information.<\/p>\n By positioning the malicious DLL<\/a> strategically, attackers can execute code under the trusted context of a digitally signed Microsoft application, effectively bypassing security controls that monitor suspicious processes. To maintain stealth and prevent application crashes, attackers implement DLL proxying techniques.<\/p>\n The malicious version.dll exports the same functions as the legitimate library, forwarding legitimate function calls to the original Windows System32 version.dll while executing malicious operations in the background.<\/p>\n This dual functionality ensures OneDrive.exe continues operating normally, reducing the likelihood of detection by users or security software<\/a>. <\/p>\n The attack employs an advanced hooking technique that leverages Vectored Exception Handling and the PAGE_GUARD memory protection flag, reads the advisory<\/a>.<\/p>\n Instead of traditional inline hooking<\/a> methods that security tools easily detect, this approach intentionally triggers memory exceptions to intercept API calls.<\/p>\n When OneDrive.exe attempts to call specific functions like CreateWindowExW, the malicious code captures the execution flow through exception handlers and redirects it to attacker-controlled functions.<\/p>\n This method proves particularly effective because it avoids persistent code modifications that signature-based detection systems typically identify.<\/p>\n The hook re-arms itself after each interception using single-step exceptions, maintaining continuous control over targeted API functions.<\/p>\n Once loaded, the malicious DLL spawns a separate thread to execute arbitrary payloads without blocking the application\u2019s initialization process.<\/p>\n The proof-of-concept<\/a> launches additional processes while hiding their windows from view, enabling covert operations on compromised systems.<\/p>\n Security professionals must implement application whitelisting, monitor DLL loading behaviors, and validate digital signatures of loaded libraries to defend against these sophisticated sideloading attacks targeting trusted applications.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Exploit OneDrive.exe Through DLL Sideloading to Execute Arbitrary Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nUnderstanding the DLL Sideloading Attack<\/strong><\/h2>\n