Qbot and Lokibot trojans are being deployed using the windows Regsvr32.exe tool also known as LOLBin (living-off-the-land binary). Various types of malicious Microsoft files are being used to spread the malware which are attempting to execute the .OCX files
“During our analysis of these malware samples, we have identified that some of the malware samples belonged to Qbot and Lokibot attempting to execute .OCX files…97 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.” Threat Researchers from Uptycs Labs.
Most of the files found by the researchers are .XLSB or .XLSM files with some being composite documents (.DOCX, .DOC, or .DOCM). LOLBins (Regsvr32) are legitimate tools and therefor much more easier to evade detection. However, specific behaviors can be tracked by security teams: