Security researchers at Deep Instinct have recently discovered multiple campaigns where Microsoft Visual Studio Tools for Office (VSTO) are being used as a method of achieving persistence and executing remote code on the target machine via malicious Office add-ins. The attackers do this by building . NET-based malware and embedding it into these Office add-ins. While this isn’t a novel technique, it has rarely been detected in the wild in the past. The sudden increase in it being seen may stem from macro execution in Office being disabled by default, which has led to additional techniques such as the use of archive and shortcut files to deploy malware becoming more prominent.
VSTO is a software development kit, part of Microsoft’s Visual Studio IDE, and is used to build VSTO add-ins, which are extensions for Office applications. These add-ins can be packaged in document files or fetched from a remote location, with Deep Instinct researchers detecting campaigns using both. They are then executed when launching a document with the associated office application, which displays a prompt for the user to confirm that they want to install the add-in. So far, they have been seen used to execute encoded PowerShell Commands and establish persistence among other actions.
With macro execution now disabled by default in Office apps, this is just one of the many new phishing techniques that will likely rise to take its place. As with any phishing technique, the best way to prevent it is to make end users aware of this new threat through user education. However, there are some other possible detections to alert to this activity. One possible detection is to monitor for VSTO file creations near the same time as an Office document creation on the same host. Additionally, it may be possible to detect this through Office processes spawning a suspicious process, but our analysts have not yet observed the process chain for this activity in our lab to confirm. In the end, the best strategy for any organization is to have a defense in-depth strategy to ensure that even if one security control failed or was bypassed, this activity would be detected at a different stage in the attack chain.