Security News > 2022 > February > Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware
A Windows living-off-the-land binary known as Regsvr32 is seeing a big uptick in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.
In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries.
Malicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cybercrooks specifically attempting to register.
"The Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious].OCX files," researchers warned.
"During our analysis of these malware samples, we have identified that some of the malware samples belonged to Qbot and Lokibot attempting to execute.OCX files97 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files."
Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;.
News URL
https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/
Related news
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware (source)
- Cybercriminals used a gaming engine to create undetectable malware loader (source)
- Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware (source)
- Windows, macOS users targeted with crypto-and-info-stealing malware (source)
- New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools (source)