After the collapse of macros in Microsoft Office (opens in a new tab) files, another alternative method appears to be gaining ground, new reports claim.
Cybersecurity researchers from Deep Instinct have discovered an increase in the use of Microsoft Visual Studio Tools for Office (VSTO) among cybercriminals who create malicious Office add-ins that help them achieve persistence and run malicious code on targeted endpoints.
What hackers do is create .NET based malware (opens in a new tab)and then embedding it in an Office add-in, which requires a bit more skill from the threat actor.
Bypassing the antivirus
The method isn’t new, but it wasn’t as popular when Office macros were dominant. Now that Microsoft has successfully eliminated this threat, the number of threats created by VSTO is increasing. These add-ins can be shipped with Office documents or hosted elsewhere and run by an Office document sent by attackers.
In other words, to get infected, the victim still needs to download and run the Office file and add-in, so phishing will still play a major role. That said, the attack vector is still quite dangerous as it is able to successfully circumvent antivirus programs and other anti-malware services. In fact, Deep Instinct was able to create a working Proof-of-Concept (PoC) that delivered the Meterpreter payload to the endpoint. The PoC demo video can be found on the site this link (opens in a new tab). The researchers said they were forced to disable Microsoft Windows Defender just to log the process.
Meterpreter, a security product used for penetration testing, was easily detected by antivirus products, but all PoC elements were not detected.
In conclusion, researchers expect a further increase in the number of attacks created by VSTO. They also expect nation states and other “high caliber” actors to adopt this practice as well.
By: Beeping Computer (opens in a new tab)