fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Qbot, Lokibot Malware Switch Back to Windows Regsvr32 Delivery

Qbot, Lokibot Malware Switch Back to Windows Regsvr32 Delivery

Malware distributors have turned to an older trick known as Squiblydoo to spread Qbot and Lokibot via Microsoft Office document using regsvr32.exe.

A report from the threat research team at security analytics platform Uptycs shows that the use of regsvr32.exe has been spiking for the past couple of months, occurring via various document formats but mainly Excel files.

The sudden focus this particular command-line utility is explained by the fact that it allows threat actors to bypass application blocklisting that could put an end to the infection chain.

Telemetry data collected from Uptyck’s clients shows that December 2021 was when most incidents of the Windows resident tool abuse were recorded, but the high rates continued in 2022.

Also Read: What a Vulnerability Assessment Shows and How It Can Save You Money

Uptyck detection for OCX registrations
Number of detected OCX registrations (Uptyck)

The return of the “Squiblydoo”

The regsvr32 is a Windows command-line utility used for registering and unregistering OLEs (DLLs and ActiveX controls) in the registry.

The threat actors abuse the utility not for making registry modifications but for loading COM scriptlets from a remote source using DLLs (scrobj.dll).

For this purpose, they use regsvr32 to register OCX files, which are special-purpose software modules that can call ready-made components, such as DLLs.

Also Read: What You Need to Know About Singapore’s Data Sharing Arrangements

Detection of regsvr32 abuse
Detection of regsvr32 abuse for OCX registration (Uptyck)

This technique is called “Squiblydoo”, and it has been employed in malware-dropping operations since 2017. Back then, ESET researchers first noticed it in a campaign focused on targets in Brazil.

In the currently ongoing campaign, threat actors use Excel, Word, RTF, and composite document files with malicious macros that start the regsvr32 as a child process.

These documents are typically distributed via phishing campaigns, although they can also be dropped through “blind” SEO poisoning attacks.

Blending in

The above method provides good evasion for the malware payload, because regsvr32 is a Windows tool used for multiple routine operations.

As such, security solutions are less likely to catch the threat and step in to end the infection chain.

Also, using remote COM scriptlets enables the attackers to load fileless malware; and because these payloads run from within the document, the chances to detect them are lower.

To help defenders, Uptyck has shared a list with indicators of compromise that can be used for targeted threat hunting on this GitHub repository.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us