Microsoft Visual Studio add-ins could be used to deliver malware

By Scott Marlette Last updated Feb 4, 2023

Following the demise of macros in Microsoft Office (opens in new tab) files, it seems that another alternative method is gaining popularity, new reports have claimed.

Cybersecurity researchers from Deep Instinct have discovered an uptick in the use of Microsoft Visual Studio Tools for Office (VSTO) among cybercriminals, as they build malicious Office add-ins which help them achieve persistence and run malicious code on target endpoints.

What hackers are doing here is building .NET-based malware (opens in new tab), and then embedding it into an Office add-in, a practice that requires the threat actor to be somewhat more skilled.

Bypassing antivirus

The method is hardly new but wasn’t as popular while Office macros were dominating. Now that Microsoft effectively eliminated that threat, VSTO-built threats are emerging in greater numbers. These add-ins can be sent together with Office documents, or hosted elsewhere and triggered by an Office document sent by the attackers.

In other words, the victim still needs to download and run an Office file and the add-in in order to get infected, so phishing will still play a major role. That being said, the attack vector is still quite dangerous as it is capable of successfully working around antivirus programs and other malware protection services. In fact, Deep Instinct was able to create a working Proof-of-Concept (PoC) that delivered the Meterpreter payload to the endpoint. The video demonstration of the PoC can be found on this link (opens in new tab). The researchers said they were forced to disable Microsoft Windows Defender just to record the process.

Meterpreter, a security product used for penetration testing, was easy for antivirus products to detect, however, all the elements of the PoC were not detected, they said.

In conclusion, the researchers expect the number of VSTO-built attacks to continue rising. They also expect nation-states and other “high caliber” actors to adopt the practice as well.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.