Security News > 2022 > February > Qbot, Lokibot malware switch back to Windows Regsvr32 delivery
Malware distributors have turned to an older trick known as Squiblydoo to spread Qbot and Lokibot via Microsoft Office document using regsvr32.
A report from the threat research team at security analytics platform Uptycs shows that the use of regsvr32.
The regsvr32 is a Windows command-line utility used for registering and unregistering OLEs in the registry.
The threat actors abuse the utility not for making registry modifications but for loading COM scriptlets from a remote source using DLLs. For this purpose, they use regsvr32 to register OCX files, which are special-purpose software modules that can call ready-made components, such as DLLs. This technique is called "Squiblydoo", and it has been employed in malware-dropping operations since 2017.
In the currently ongoing campaign, threat actors use Excel, Word, RTF, and composite document files with malicious macros that start the regsvr32 as a child process.
The above method provides good evasion for the malware payload, because regsvr32 is a Windows tool used for multiple routine operations.
News URL
Related news
- Detecting Windows-based Malware Through Better Visibility (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)