Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware

The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot.

A Windows living-off-the-land binary (LOLBin) known as Regsvr32 is seeing a big uptick in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.

LOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs.

This long reach is catnip to cyberattackers, who can abuse the utility via the “Squiblydoo” technique, Uptycs researchers warned.

“Threat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,” they explained in a Wednesday writeup. “This method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.”


Read More: