Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

A Windows living-off-the-land binary (LOLBin) known as Regsvr32 is seeing a big uptick in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.

LOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs.

This long reach is catnip to cyberattackers, who can abuse the utility via the “Squiblydoo” technique, Uptycs researchers warned.

“Threat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,” they explained in a Wednesday writeup. “This method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.”

The .OCX Connection

Malicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cybercrooks specifically attempting to register .OCX files in the Registry via various types of malicious Microsoft Office documents. As a class, .OCX files contain ActiveX controls, which are code blocks that Microsoft developed to enable applications to perform specific functions, such as displaying a calendar.

“The Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,” researchers warned. “During our analysis of these malware samples, we have identified that some of the malware samples belonged to Qbot and Lokibot attempting to execute .OCX files…97 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.”

Most of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, they added, which are types that contain embedded macros. During the attack, these usually download or execute a malicious payload from the URL using the formulas in the macros.

Similarly, some campaigns use Microsoft Word, Rich Text Format data or Composite Document (.DOC, .DOCX or .DOCM files embedded with malicious macros, according to Uptycs.

Identifying Suspicious regsvr32 Executions

Because Regsvr32, like other LOLBins, is used for legitimate daily operations, its abuse often evades traditional cybersecurity defenses. However, researchers noted that security teams can monitor for a couple of specific behaviors in order to track its activity:

• Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;
• And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.

_Check out our free _upcoming live and on-demand online town halls– unique, dynamic discussions with cybersecurity experts and the Threatpost community.