Microsoft Windows REGSVR32 Vulnerability
Researchers report the detection of an increase in the use of the regsvr32.exe process through various Microsoft Office documents. According to the report, malware variants have been identified trying to execute .ocx files in a technique known as Squablydoo, malware distributors are using this technique to spread Qbot and Lokibot through a Microsoft Office document, it is important to note that regsvr32 is a command-line utility on the Windows system that allows users to register or unregister DLLs. By registering a DLL file, information is added to the central directory (Registry) so that it can be used by the system.
A report from the threat research team at security analysis platform Uptycs shows that the use of regsvr32.exe has increased over the past few months across various office document formats, but mainly Excel files.
Telemetry data collected from Uptyck customers shows that December 2021 was when most of the Windows resident tool spiking incidents were recorded, but high rates continued into 2022
What is Qbot /Qaboot
Lokibot
It is malware specially designed to collect banking information from its victims. It is equipped with a variety of sophisticated evasion and information stealing functions, as well as worm-like malware functionality and a strong persistence mechanism.
What is Lokibot
A Trojan-like malware designed for stealing information and credentials from Android and Windows devices steals information and credentials from the browser, such as bank accounts, email, cryptocurrency wallets, and many other applications. In addition, it has a keystroke capture feature and allows receiving commands from the cybercriminal’s control center.
Hacking groups can use regsvr32 to load COM scriptlets and execute DLL files, a hacking method that does not make changes to the Registry as the COM object is not registered, but executed using this technique, threat actors can evade the whitelisting of applications during the execution phase of the attack’s kill chain
Recommendations.
- Monitor parent/child process relationships where regsvr32 runs with the parent process in Word or Excel and more Microsoft Office applications.
- An attack can be identified by looking for regsvr32.exe executions that load the scrobj.dll that executes the COM scriptlet.
- Creation of ATP rules to monitor or block the execution of regsvr32.exe.
Use cases *:
- Phishing Prevention & Anti-Spam Protection.
- Unknown events at malware level
- Tracking of possible zero-day attack activities
- Network DoS
*To have these detections, the client must have contracted SOC services.
For more information you can consult the following sources associated with the news:
- https://www.cibertip.com/ciberseguridad/cibercriminales-explotan-la-utilidad-de-microsoft-regsvr32-y-la-tecnica-squablydoo-para-hackear-redes-empresariales/
- https://support.microsoft.com/en-us/topic/how-to-use-the-regsvr32-tool-and-troubleshoot-regsvr32-error-messages-a98d960a-7392-e6fe-d90a-3f4e0cb543e5
- https://diarioinforme.com/qbot-el-malware-lokibot-vuelve-a-la-entrega-de-windows-regsvr32/
- https://www.cronup.com/top-malware-series-qbot-trojan/