Security News > 2022 > February > Qbot, Lokibot malware switch back to Windows Regsvr32 delivery
Malware distributors have turned to an older trick known as Squiblydoo to spread Qbot and Lokibot via Microsoft Office document using regsvr32.
A report from the threat research team at security analytics platform Uptycs shows that the use of regsvr32.
The regsvr32 is a Windows command-line utility used for registering and unregistering OLEs in the registry.
The threat actors abuse the utility not for making registry modifications but for loading COM scriptlets from a remote source using DLLs. For this purpose, they use regsvr32 to register OCX files, which are special-purpose software modules that can call ready-made components, such as DLLs. This technique is called "Squiblydoo", and it has been employed in malware-dropping operations since 2017.
In the currently ongoing campaign, threat actors use Excel, Word, RTF, and composite document files with malicious macros that start the regsvr32 as a child process.
The above method provides good evasion for the malware payload, because regsvr32 is a Windows tool used for multiple routine operations.
News URL
Related news
- CISA warns of Windows flaw used in infostealer malware attacks (source)
- Windows users targeted with fake human verification pages delivering malware (source)
- New Windows Malware Locks Computer in Kiosk Mode (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)