Experts warn that attackers are looking for alternatives to disabled Microsoft Office macros.
Security researchers at security firm Deep Instinct warn that hackers may increasingly use Microsoft Visual Studio Tools for Office (VSTO) as a method of resiliency and code execution on a target machine using malicious Office add-ins. This method is an alternative to embedding macros in documents that extract malware from an external source.
VSTO is a software development kit that is part of the Microsoft Visual Studio IDE. It is used to create VSTO Add-ins, which are extensions to Office applications that can run code on a computer.
These add-ins can be packaged with document files or downloaded from a remote location and run when the document is launched using the associated Office application (eg Word, Excel).
The payload is stored with the document, usually inside an ISO container. The attackers make these additional files "hidden", hoping that the victim will not notice them and think that the archive contains only the document.
After you run the document, you are prompted to install the add-in. Hackers can trick the victim into allowing the installation (similar to the "enable content" popup that allows malicious macros to run).
In one attack targeting users in Spain, a payload executed an encoded and compressed PowerShell script on a computer.
In another example that used a remote VSTO-based add-on, the cybercriminals installed a .DLL payload to download a password-protected ZIP archive and placed it in the %\AppData\Local\ folder. Deep Instinct was unable to retrieve the final payload due to the server being down at the time of investigation.
To show how VSTO can help a hacker deliver and run malware and achieve persistence on the system, the researchers created a proof of concept (PoC) with a Meterpreter payload. Aside from the payload, which was specifically chosen to be easily detectable, all of the PoC components were under the radar of Windows Defender.
Deep Instinct researchers expect more attackers to integrate VSTO into their attacks. They believe that “the nation-state and other highly skilled hackers will jump at this opportunity to bypass the Windows trust mechanism with valid code signing certificates.