Cybercriminals Exploit OneDrive.exe via DLL Sideloading to Execute Malicious Code
Cybersecurity researchers have uncovered a sophisticated attack method where threat actors exploit Microsoft’s OneDrive application through DLL sideloading, enabling the execution of malicious code while evading detection mechanisms.
Understanding DLL Sideloading
DLL sideloading is a technique that manipulates the way Windows applications load Dynamic Link Libraries (DLLs). By placing a malicious DLL in the same directory as a legitimate application, attackers can trick the application into loading the rogue DLL instead of the authentic one. This method allows malicious code to run under the guise of a trusted application, effectively bypassing security controls that monitor for suspicious processes.
The Attack on OneDrive.exe
In this specific attack, cybercriminals craft a malicious version.dll file and place it in the same directory as OneDrive.exe. When OneDrive.exe is launched, it follows the standard DLL search order and loads the malicious version.dll from its local directory before searching system directories. This approach is particularly effective because many Windows applications, including OneDrive, rely on version.dll to retrieve file version information.
By strategically positioning the malicious DLL, attackers can execute code within the trusted context of a digitally signed Microsoft application. To maintain stealth and prevent application crashes, the attackers implement DLL proxying techniques. The malicious version.dll exports the same functions as the legitimate library, forwarding legitimate function calls to the original Windows System32 version.dll while executing malicious operations in the background. This dual functionality ensures that OneDrive.exe continues to operate normally, reducing the likelihood of detection by users or security software.
Advanced Hooking Techniques
The attack employs an advanced hooking technique that leverages Vectored Exception Handling and the PAGE_GUARD memory protection flag. Instead of traditional inline hooking methods that security tools can easily detect, this approach intentionally triggers memory exceptions to intercept API calls. When OneDrive.exe attempts to call specific functions like CreateWindowExW, the malicious code captures the execution flow through exception handlers and redirects it to attacker-controlled functions.
This method is particularly effective because it avoids persistent code modifications that signature-based detection systems typically identify. The hook re-arms itself after each interception using single-step exceptions, maintaining continuous control over targeted API functions.
Execution of Malicious Payloads
Once loaded, the malicious DLL spawns a separate thread to execute arbitrary payloads without blocking the application’s initialization process. The proof-of-concept demonstrates the launch of additional processes while hiding their windows from view, enabling covert operations on compromised systems.
Implications and Recommendations
This attack highlights the evolving tactics of cybercriminals who exploit trusted applications to execute malicious code. By leveraging DLL sideloading, attackers can maintain persistence on compromised systems and evade detection mechanisms.
To defend against such sophisticated sideloading attacks targeting trusted applications, security professionals should implement the following measures:
1. Application Whitelisting: Restrict the execution of unauthorized applications and DLLs by maintaining a list of approved software.
2. Monitor DLL Loading Behaviors: Utilize security tools to detect and alert on unusual DLL loading patterns, especially when DLLs are loaded from non-standard directories.
3. Validate Digital Signatures: Ensure that all loaded libraries have valid digital signatures to verify their authenticity.
4. Regular Software Updates: Keep all software, including operating systems and applications, up to date with the latest security patches to mitigate known vulnerabilities.
5. User Education: Train users to recognize and avoid suspicious files and links that could lead to the execution of malicious code.
By adopting these proactive security measures, organizations can enhance their defenses against DLL sideloading attacks and protect their systems from unauthorized code execution.
