Posted on February 2, 2023 at 8:12 AM
Cybersecurity researchers have issued an alert of hackers using the Microsoft Visual Studios Tools for Office (VSTO) to conduct hacking campaigns. VSTO can be compromised by threat actors to achieve persistence and to run code in the victim machines using malicious Microsoft Office add-ins.
Hackers might use Microsoft Visual add-ins to spread malware
Security researchers have said that hackers could start exploiting Microsoft Visual add-ins for malicious purposes. The technique that the hackers could use to exploit VSTO and compromise the target device is similar to the technique that the hackers use to install documents VBA macros that get malware from an external source.
Threat actors have been actively looking for alternatives since Microsoft said it would halt the execution of VBA and XL4 macros on Microsoft Office by default. The ban has led to threat actors using archives and .LNK shortcut files to run their malware campaigns.
However, it appears that hackers could be exploring another more effective alternative. By using VSTO, the hackers can launch an attack vector that will support the creation of .NET malware. The malware can then be embedded within the Office add-in.
The security researchers from Deep Instinct detected multiple attacks using the same technique. The researchers noted that hackers with a high skill level increasingly use this strategy. Nevertheless, it is not the first time that hackers are exploiting VSTO. While these attacks are rare, the cybersecurity community has not raised much concern about them.
Hackers could exploit VSTO
VSTO is one of the tools within the Microsoft Visual Studio IDE. The software development kit is largely used in creating VSTO add-ins that are usually used in Microsoft Office applications. These add-ins are used to run a code on the target device.
The ad-ins on Microsoft Office will also include the document files. They can also be downloaded from a remote location, after which they will be executed when the document has been opened using a Microsoft Office application like Word or Excel.
Hackers prefer exploiting VSTO using a local approach. In this technique, the threat actor is not required to bypass the security systems installed on the target device to run the add-in code. This reduced the possibility of detection.
However, some of the analyzed attacks were conducted using remote VSTO add-ins. The devices that have been compromised using these payload-carrying documents usually have a “custom.xml” parameter that will guide the Office application in finding the add-in and installing it on the device.
The add-in payload will also come with other functions stored within the compromised document. In most cases, these dependencies are stored within an ISO container. The threat actors go the extra mile to avoid detection by ensuring that these files are hidden such that the victim will not access them as they will assume they are archived documents.
After this document has been launched on the target device, the victim will receive a prompt asking them to install the add-in. The hackers create this prompt to trick the victim into enabling a Microsoft Office-related feature, not a malicious add-in.
In one of the attacks that Deep Instinct analyzed, the threat actors targeted victims based in Spain. The add-in payload in this campaign deployed an encoded and compressed PowerShell script on the target device.
One of the examples that contained a remote VSTO add-in noted that the threat actor group had configured the .DLL payload to prompt it to download a ZIP archive that was later dropped into the “%\AppData\Local\folder.” The researchers could not access the final payload because the server was taken offline when the investigations were being conducted.
The researchers also created a proof-of-concept (PoC) to show how the attacker could have delivered and executed the malware and achieve persistence. The PoC was conducted using a Meterpreter payload, while all the other features of the PoC went undetected by the Window Defender.
The researchers noted that there was a high likelihood that hackers could start using VSTO to conduct malicious campaigns. They noted that the campaigns could be used by state-sponsored actors and sophisticated hacking groups. The exploit allows the threat actors to bypass the trust measures used in Windows by deploying valid certificates, which could make such attacks go undetected.