System Binary Proxy Execution: Regsvr32

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. [1]

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. [2] This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments. [3] [4]

Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. [3]

ID: T1218.010
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Defense Bypassed: Anti-virus, Application control, Digital Certificate Validation
Contributors: Casey Smith
Version: 2.1
Created: 23 January 2020
Last Modified: 21 April 2023

Procedure Examples

ID Name Description
S0622 AppleSeed

AppleSeed can call regsvr32.exe for execution.[5]

G0073 APT19

APT19 used Regsvr32 to bypass application control techniques.[6]

G0050 APT32

APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.[7][8][9]

S0373 Astaroth

Astaroth can be loaded through regsvr32.exe.[10]

G0108 Blue Mockingbird

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.[11]

C0015 C0015

During C0015, the threat actors employed code that used regsvr32 for execution.[12]

G0080 Cobalt Group

Cobalt Group has used regsvr32.exe to execute scripts.[13][14][15]

G0009 Deep Panda

Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.[16]

S0021 Derusbi

Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.[17]

S0384 Dridex

Dridex can use regsvr32.exe to initiate malicious code.[18]

S0554 Egregor

Egregor has used regsvr32.exe to execute malicious DLLs.[19]

S0568 EVILNUM

EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.[20]

S0698 HermeticWizard

HermeticWizard has used regsvr32.exe /s /i to execute malicious payloads.[21]

S0087 Hi-Zor

Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism.[22]

G0100 Inception

Inception has ensured persistence at system boot by setting the value regsvr32 %path%\ctfmonrn.dll /s.[23]

G0094 Kimsuky

Kimsuky has executed malware with regsvr32s.[24]

S0250 Koadic

Koadic can use Regsvr32 to execute additional payloads.[25]

G0065 Leviathan

Leviathan has used regsvr32 for execution.[26]

S0284 More_eggs

More_eggs has used regsvr32.exe to execute the malicious DLL.[27]

S1047 Mori

Mori can use regsvr32.exe for DLL execution.[28]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used regsvr32 to execute malware.[29]

S0229 Orz

Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.[26]

S0650 QakBot

QakBot can use Regsvr32 to execute malicious DLLs.[30][31][32][33][34][35]

S0481 Ragnar Locker

Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.[36]

S0270 RogueRobin

RogueRobin uses regsvr32.exe to run a .sct file for execution.[37]

S1018 Saint Bot

Saint Bot has used regsvr32 to execute scripts.[38][39]

S1030 Squirrelwaffle

Squirrelwaffle has been executed using regsvr32.exe.[40]

G0127 TA551

TA551 has used regsvr32.exe to load malicious DLLs.[41]

S0476 Valak

Valak has used regsvr32.exe to launch malicious DLLs.[42][41]

G0090 WIRTE

WIRTE has used regsvr32.exe to trigger the execution of a malicious script.[43]

S0341 Xbash

Xbash can use regsvr32 for executing scripts.[44]

Mitigations

ID Mitigation Description
M1050 Exploit Protection

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. [45] Identify and block potentially malicious software executed through regsvr32 functionality by using application control [46] tools, like Windows Defender Application Control[47], AppLocker, [48] [49] or Software Restriction Policies [50] where appropriate. [51]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. [3]

DS0011 Module Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

DS0009 Process Process Creation

Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). - Analytic 1 is a more generic analytic that looks for suspicious usage of regsvr32.exe, specifically for cases where regsvr32.exe creates child processes that aren’t itself. It’s not likely that this will result in millions of hits, but it does occur during benign activity so some form of baselining would be necessary for this to be useful as an alerting analytic.- Analytic 2 is around "Squiblydoo", which is a specific usage of regsvr32.exe to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It looks for regsvr32.exe process creation events that load scrobj.dll via the command-line (which executes the COM scriptlet).

Analytic 1 - Generic Regsvr32

processes = filter processes where ( (event_id == "1" OR event_id == "4688") AND parent_image_path == "regsvr32.exe" and exe != "regsvr32.exe*")

Analytic 2 - Squiblydoo

processes = filter process where ( (event_id == "1" OR event_id == "4688") AND (process_path == "regsvr32.exe" and command_line == "scrobj.dll"))

References

  1. Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
  2. LOLBAS. (n.d.). Regsvr32.exe. Retrieved July 31, 2019.
  3. Nolen, R. et al.. (2016, April 28). Threat Advisory: “Squiblydoo” Continues Trend of Attackers Using Native OS Tools to “Live off the Land”. Retrieved April 9, 2018.
  4. Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
  5. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  6. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  7. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  8. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  9. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  10. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  11. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  12. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  13. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  14. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  15. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  16. RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
  17. Fidelis Threat Research Team. (2016, May 2). Turbo Twist: Two 64-bit Derusbi Strains Converge. Retrieved August 16, 2018.
  18. Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023.
  19. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.
  20. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  21. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  22. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  23. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  24. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  25. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  26. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  1. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  2. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  3. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  4. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  5. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  6. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  7. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  8. Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023.
  9. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023.
  10. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  11. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  12. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  13. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  14. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  15. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  16. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  17. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  18. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  19. National Security Agency. (2016, May 4). Secure Host Baseline EMET. Retrieved June 22, 2016.
  20. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  21. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  22. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  23. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  24. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
  25. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.