Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
A Windows living-off-the-land binary (LOLBin) known as Regsvr32 is seeing a big uptick in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.

LOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is a Microsoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs. This long reach is catnip to cyberattackers, who can abuse the utility via the “Squiblydoo” technique, Uptycs researchers warned. “Threat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,” they explained in a Wednesday writeup. “This method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.”
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Hmmm. May not trickle down to this lowly machine risk-wise but I enabled this rule in OSArmor anyway and will see how it goes. There's another regsvr32 rule but it seems to carry a greater risk of false-positives. This rule is otherwise disabled by default.

osa regsvr32.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top