Search This Blog

Hackers are Now Utilizing Office Documents to Launch the Regsvr32 Utility

Regsvr32 is a Windows command-line program signed by Microsoft .

 

Regsvr32, a Windows living-off-the-land binary (LOLBin) used to propagate trojans like Lokibot and Qbot, is seeing a surge in abuse recently, according to researchers. 

LOLBins are genuine, native utilities which are used on a regular basis in a variety of computing settings, yet are utilized by cybercriminals to avoid detection by merging in with typical traffic patterns. Regsvr32 is a Windows command-line program signed by Microsoft which lets users register and unregister DLLs (Dynamic Link Library). Information about a DLL file is uploaded to the centralized registry so the Windows may use it. 

This makes things simpler for other programs to take advantage of the DLLs' features. This broad reach is appealing to cybercriminals, who may exploit the utility through Squiblydoo, which has been a utilized malware by known APT groups, such as in spear-fishing efforts against Russian firms, and more recently in certain crypto mining events. 

Unlawful utilization of Regsvr32 has been on the rise recently in the Uptycs data, with cybercrooks attempting to register specifically. As a group, we. ActiveX controls are code blocks designed by Microsoft that allow applications to perform specified functions, such as showing a calendar, using OCX files. 

Uptycs EDR employs a multi-layered detection strategy that not only analyzes threats using the Squiblydoo technique but also prioritizes them according to a specific composite score and severity. This helps analysts focus on key situations first, reducing alert fatigue. 

The majority of such Microsoft Excel files found in the attacks have the.XLSM or.XLSB prefixes, which indicate files contain embedded macros. Using the formulas in the macros, hackers normally download or operate a malicious payload from the URL during the campaign. 

Conventional security systems and security personnel tracking this operation for malicious actions face a problem because regsvr32 is frequently utilized for regular daily tasks. The following aspects can be monitored by security teams: 

  • The parent/child program relations where regsvr32 is run alongside a Microsoft Word or Excel parent process. 
  • Locating  regsvr32.exe operations that load the scrobj.dll, which performs the COM scriptlet, to identify it.
Share it:

Cryptomining Scam

Cyber Attacks

DLL

LOL bins

Microsoft Excel

Trojan

Windows