Security researchers have warned that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as a method to achieve persistence and execute code on a target machine via malicious Office add-ins. This technique is an alternative to sneaking into documents VBA macros that fetch malware from an external source. Since Microsoft announced it would block the execution of VBA and XL4 macros in Office by default, threat actors have moved to archives and using VSTO to introduce an attack vector that allows them to build .NET-based malware and embed it into the Office add-in.
Security researchers at Deep Instinct have recently discovered multiple such attacks and believe that skillful hackers are increasingly adopting the method. Although VSTO-based attacks are not new, they are a rare occurrence and have not been too much of a concern for the infosec community.
VSTO is a software development kit, part of Microsofts Visual Studio IDE, used to build VSTO add-ins, which are extensions for Office applications that can execute code on the machine. These add-ins can be packaged with the document files or downloaded from a remote location and are executed when launching the document with the associated Office app.
Threat actors prefer using the local VSTO approach, which does not require bypassing trust-related security mechanisms to execute the add-in code. Deep Instinct noticed some attacks using remote VSTO add-ins. A sign of these payload-carrying documents is the presence of a Custom.xml parameter that gives the Office application instructions on where to locate the add-in and to install it. The dependencies of the add-in payload are stored together with the document, typically inside an ISO container. The threat actors set these extra files to Hidden, hoping that the victim misses them and assumes the archive only contains a document.
After launching the document, a prompt appears asking to install the add-in. Attackers can trick the victim to allow the action in a similar way as with the Enable content pop-up for enabling malicious VBA macros to execute. In one attack that Deep Instinct saw targeting users in Spain, the add-in payload executed an encoded and compressed PowerShell script on the computer. In another example that involved a remote VSTO-based add-in, the threat actors set the .DLL payload to download a password-protected ZIP archive and drop it into the %AppDataLocal folder.
Deep Instinct could not retrieve the final payload due to the server being offline at the time of its investigation. To show how VSTO could help an attacker deliver and execute malware, as well as achieve persistence on the machine, the researchers created a proof-of-concept with a Meterpreter payload. Apart from the payload, which was purposefully selected to be highly detectable, all the components of the PoC flew under Window Defenders radar.
Deep Instinct researchers expect more threat actors to integrate VSTO into their attacks. They believe that Nation-state and other high caliber actors will jump at the opportunity as they are more likely to have the means to bypass trust mechanism used in Windows by using valid code signing certificates.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 02 Feb 2023 20:23:02 +0000