Hackers weaponize Microsoft Visual Studio add-ins to push malware

Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.

The technique is an alternative to sneaking into documents VBA macros that fetch malware from an external source. 

Since Microsoft announced it would block the execution of VBA and XL4 macros in Office by default, threat actors moved to archives (.ZIP, .ISO) and .LNK shortcut files to distribute their malware.

However, using VSTO introduce an attack vector that allows building .NET-based malware and embedding it into the Office add-in.

Security researchers at Deep Instinct discovered multiple such attacks recently and believe that skillful hackers are increasingly adopting the method.

Although VSTO-based attacks are not new, they are a rare occurrence and have not been too much of a concern for the infosec community.

Attacking with VSTO

VSTO is a software development kit, part of Microsoft's Visual Studio IDE. It is used to build VSTO add-ins, which are extensions for Office applications that can execute code on the machine.

These add-ins can be packaged with the document files or downloaded from a remote location and are executed when launching the document with the associated Office app (e.g. Word, Excel)

Threat actors prefer using the local VSTO approach, which does not require bypassing trust-related security mechanisms to execute the add-in code. However, Deep Instinct noticed some attacks using remote VSTO add-ins.

A sign of these payload-carrying documents is the presence of a "custom.xml" parameter that gives the Office application instructions on where to locate the add-in and to install it.

XML code that gives instructions about the add-in to Office (Deep Instinct)

 

The dependencies of the add-in payload are stored together with the document, typically inside an ISO container. The threat actors set these extra files to "hidden," hoping that the victim misses them and assumes the archive only contains a document.

Malicious document and payload dependencies
(Deep Instinct)

 

After launching the document, a prompt appears asking to install the add-in. Attackers can trick the victim to allow the action in a similar way as with the "enable content" pop-up for enabling malicious VBA macros to execute.

Message to trick users into installing a malicious add-in
(Deep Instinct)

 

Installation dialog served to the victim (Deep Instinct)

 

In one attack that Deep Instinct saw targeting users in Spain, the add-in payload executed an encoded and compressed PowerShell script on the computer.

PowerShell script hiding inside the malicious add-in (Deep Instinct)

 

In another example that involved a remote VSTO-based add-in, the threat actors set the .DLL payload to download a password-protected ZIP archive and drop it into the "%\AppData\Local\ folder." Deep Instinct could not retrieve the final payload due to the server being offline at the time of its investigation.

To show how VSTO could help an attacker deliver and execute malware, as well as achieve persistence on the machine, the researchers created a proof-of-concept (PoC) with a Meterpreter payload. Apart from the payload, which was purposefully selected to be highly detectable, all the components of the PoC flew under Window Defender's radar.

Deep Instinct researchers expect more threat actors to integrate VSTO into their attacks. They believe that "nation-state and other 'high caliber' actors" will jump at the opportunity as they are more likely to have the means to bypass trust mechanism used in Windows by using valid code signing certificates.