Trending regsvr32 & Squiblydoo Technique

Industry: N/A | Level: Tactical | Source: Uptycs

Native windows program, regsvr32, a weapon of choice for living-off-the-land binary (LOLBin), has seen increased usage in the wild by the Uptycs threat research team. The utility is combined with Squiblydoo technique, which is described by MITRE "Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting." Additional, insight from the Uptycs team has identified "over 500+ samples" leveraging regsv32 to register OCX files that are associated with ActiveX control. The majority of samples abusing regsvr32 have been Microsoft Excel files (mainly), followed by rich text files and Microsoft Word documents.

• Anvilogic Use Cases:
• Malicious Document Execution
• regsvr32 Execution
• Suspicious process Spawned by Java