The living-off-the-land binary (LOLBin) method is being leveraged by attackers around the globe to spread trojans and other malware.
LOLBins are native utilities that attackers can use to evade detection by blending in to normal activity patterns. In this case, Regsvr32 is a legitimate, Microsoft-signed command line utility that allows Windows users to register and unregister libraries. By registering a .DLL file, information is added to the machine’s Registry so that it can be used by Windows and other programs. Regsvr32 is being used to load COM scriptlets that can bypass application white-listing controls and execute .DLL’s. These malicious activities are usually executed using malicious macros embedded in Microsoft Office documents with Rich Text Formatting. (.docx, .docm, .xlsm, .xlsb, etc.)
Suspicious executions of Regsvr32 can be identified by looking for instances of the service with Microsoft Word or Microsoft Excel as a parent process. Other indicators are .OCX files that have been placed in the Registry, or executions of the Regsvr32 service that load a .DLL named “scrobj.dll.”
Threatpost Report: https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/
