Report claims Microsoft Visual Studio add-ins could be used to pass malware as a somewhat niche method is now growing famous.
Report Claims Microsoft Visual Studio Add-Ins Could Be Used To Pass Malware
Following through with the demise of macros in Microsoft Office files, it looks like another alternative method is gaining fame, a new set of reports has claimed.
Cybersecurity researchers from Deep Instinct have now discovered an uptick in the utilization of Microsoft Visual Studio Tools for Office (VSTO) among cybercriminals, as they continue to build malicious Office add-ins which will help them to get persistence and then run malicious code on targeted endpoints.
What hackers are trying to do here is build .NET-based malware and then embedding it into an Office add-in which as you should know is a practice that requires threat actors to be somewhat skilled.
Bypassing Antivirus – How It Works
The method being reported is hardly new. However, it was not as popular while Office macros were dominating, and now that Microsoft has successfully and effectively eliminated the threat, VSTO-built threats are sprouting up in great numbers. These add-ins in question can be sent together with Office documents or even hosted elsewhere and then triggered by an Office document that is sent by the attackers.
How Victims Were Attacked
The victim in other words will still need to download and then run an Office file and the add-in in order to get affected, so phishing still has a major role to play here. With that being said, the attack vector is very much dangerous as it is capable of working around antivirus programs and other malware protection services successfully, Deep Instinct in fact was able to create a working proof-of-concept that helped deliver the Meterpreter payload to the endpoint. The researchers also said that they were forced to disable Microsoft windows defender in order to record the whole process.
What the Researchers Concluded On Their Findings
Meterpreter which is a security product that is used for penetrating testing was easy for antivirus products to detect. But they, however, said that all the elements of the PoC were not seen.
The researchers in conclusion expect the number of VSTO-built attacks to keep rising. They also expect nation-states and many other high-caliber actors to adopt the practice also.