Researchers at Uptycs have reported on the sharp rise of incidents where cybercriminals are using Windows Regsvr32 in their course of attacks.

Hackers are seen spreading trojans like Lokibot and Qbot in their operations, by creating libraries in Windows Regsvr32. They’re said to start off this operation by spreading malicious files through Microsoft files, and eventually reach Regsvr32 since its traffic is mostly legitimate and won’t be detected by security software.

Leveraging LoLBins For Attacking

To evade detection by security systems, hackers use innovative ways to pass through. And the latest pursuit discovered by Uptycs researchers is triggering, since it uses legitimate software tools for getting into a target system and performing desired functions.

As per them, hackers are seen using LoLBins a lot in their attacking vectors, which are legitimate and native utilities used by OS for performing various computing environments. Microsoft’s Regsvr32 is one such thing, that hackers are exploiting to register and unregister desired libraries.

Researchers noted that hackers are registering malicious .OCX files in the Regsvr32, which perform various malicious tasks. These are delivered to the target system through specially crafted Microsoft Office documents. In their report, the Uptycs Threat Research team says to have noted “more than 500+ malware samples using Regsvr32.exe to register .OCX files.”

And these files are unpacked to install trojans, mostly the Qbot and Lokibot, which come with various powers to steal data from the infected system. The initial malicious files that run the campaign are seen delivered through Microsoft Excel, Microsoft Word, Rich Text Format data, or Composite Document.

Though it’s hard for the security systems to check and differentiate traffic of Regsvr32, manual security teams can do as below to spot out the malicious actions;

  • Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;
  • And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.


Please enter your comment!
Please enter your name here