Attack Chain

1. An attacker gains initial access to a compromised system.
2. The attacker drops a malicious DLL file, disguised as or named similarly to “IObitUnlockerExtension.dll”, onto the system.
3. The attacker uses regsvr32.exe to register the malicious DLL: regsvr32.exe /s IObitUnlockerExtension.dll. The /s flag is used for silent registration to avoid user interaction.
4. Upon successful registration, the DLL is loaded by the system.
5. The malicious DLL hooks into system processes, granting the attacker the ability to unlock files and folders protected by the operating system or other applications.
6. The attacker leverages the DLL’s capabilities to unlock files or folders related to security software, such as antivirus programs, or critical system configurations.
7. The attacker modifies or replaces these unlocked files to disable security controls, escalate privileges, or plant persistent malware.
8. The attacker achieves their objective, which may include data exfiltration, system disruption, or deploying ransomware.

Impact

Successful exploitation can lead to the complete compromise of a Windows host. An attacker may disable security software, modify sensitive system configurations, and deploy malware undetected. The DFIR Report has observed this technique used in intrusions leading to ransomware deployment.

Recommendation

• Deploy the Sigma rule Detect IOBit Unlocker Extension DLL Registration via Regsvr32 to your SIEM to identify suspicious registrations of IOBitUnlockerExtension.dll.
• Monitor process creation events for instances of regsvr32.exe registering DLLs from unusual or suspicious locations.
• Implement application control policies to restrict the execution of regsvr32.exe to authorized users and processes.
• Regularly review and audit registered DLLs to identify any unauthorized or malicious extensions.
• Investigate any endpoint activity involving IObit Unlocker, including file modifications and process terminations related to locked files.