Jump to content
  • Hackers weaponize Microsoft Visual Studio add-ins to push malware

    alf9872000

    • 651 views
    • 3 minutes
     Share


    • 651 views
    • 3 minutes

    Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.

     

    The technique is an alternative to sneaking into documents VBA macros that fetch malware from an external source. 

     

    Since Microsoft announced it would block the execution of VBA and XL4 macros in Office by default, threat actors moved to archives (.ZIP, .ISO) and .LNK shortcut files to distribute their malware.

     

    However, using VSTO introduce an attack vector that allows building .NET-based malware and embedding it into the Office add-in.

     

    Security researchers at Deep Instinct discovered multiple such attacks recently and believe that skillful hackers are increasingly adopting the method.

     

    Although VSTO-based attacks are not new, they are a rare occurrence and have not been too much of a concern for the infosec community.

    Attacking with VSTO

    VSTO is a software development kit, part of Microsoft's Visual Studio IDE. It is used to build VSTO add-ins, which are extensions for Office applications that can execute code on the machine.

     

    These add-ins can be packaged with the document files or downloaded from a remote location and are executed when launching the document with the associated Office app (e.g. Word, Excel)

     

    Threat actors prefer using the local VSTO approach, which does not require bypassing trust-related security mechanisms to execute the add-in code. However, Deep Instinct noticed some attacks using remote VSTO add-ins.

     

    A sign of these payload-carrying documents is the presence of a "custom.xml" parameter that gives the Office application instructions on where to locate the add-in and to install it.

     

    XML.png

    XML code that gives instructions about the add-in to Office (Deep Instinct)

     

    The dependencies of the add-in payload are stored together with the document, typically inside an ISO container. The threat actors set these extra files to "hidden," hoping that the victim misses them and assumes the archive only contains a document.

     

    files.png

    Malicious document and payload dependencies
    (Deep Instinct)

     

    After launching the document, a prompt appears asking to install the add-in. Attackers can trick the victim to allow the action in a similar way as with the "enable content" pop-up for enabling malicious VBA macros to execute.

     

    fig04-word-doc-prompts-user-to-allow-add

    Message to trick users into installing a malicious add-in
    (Deep Instinct)

     

    install-prompt.png

    Installation dialog served to the victim (Deep Instinct)

     

    In one attack that Deep Instinct saw targeting users in Spain, the add-in payload executed an encoded and compressed PowerShell script on the computer.

     

    powershell.png

    PowerShell script hiding inside the malicious add-in (Deep Instinct)

     

    In another example that involved a remote VSTO-based add-in, the threat actors set the .DLL payload to download a password-protected ZIP archive and drop it into the "%\AppData\Local\ folder." Deep Instinct could not retrieve the final payload due to the server being offline at the time of its investigation.

     

    To show how VSTO could help an attacker deliver and execute malware, as well as achieve persistence on the machine, the researchers created a proof-of-concept (PoC) with a Meterpreter payload. Apart from the payload, which was purposefully selected to be highly detectable, all the components of the PoC flew under Window Defender's radar.

     

    Deep Instinct researchers expect more threat actors to integrate VSTO into their attacks. They believe that "nation-state and other 'high caliber' actors" will jump at the opportunity as they are more likely to have the means to bypass trust mechanism used in Windows by using valid code signing certificates.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...