Safety researchers from the IB company Deep Instinct warn that hackers can begin to use Microsoft Visual Studio tools more often for Office (VSTO) as a method of ensuring stability and execution of code in the target machine using malicious superstructures Office. This method is an alternative to the introduction of macros into documents that extract malicious software from an external source.
VSTO is a kit for the development of the software that is part of Microsoft Visual Studio IDE. It is used to create VSTO superstructures, which are extensions for Office applications capable of performing the code on the computer.
These superstructures can be packed with documents or loaded from a remote location and are executed when the document is launched using the associated Office (for example, Word, Excel).
The payload is stored together with the document, usually inside the ISO container. Attackers make these additional files “hidden”, hoping that the victim will not notice them and decides that the archive contains only a document.
malicious document and dependence of the payload
After the document is launched, a request for the installation of the superstructure appears. Hackers can deceive the victim allow the installation (similarly to a pop -up window “turn on the contents” that allows you to perform harmful macros).
A pop -up request for the installation of a superstructure
During one attack aimed at users in Spain, the payload performed on the computer an encoded and compressed PowerShell script.
In another example, in which the remote superstructure based on VSTO was used, cybercriminals installed a useful load. DLL to load a password with a zip archive and placed it in the “% Appdata Local ” folder. Deep Instinct failed to get the final useful load due to the fact that at the time of the investigation the server was disconnected.
To show how VSTO can help the hacker deliver and launch malicious software, and also achieve preservation in the system, researchers created evidence of the concept (POC) with the payload of MeterPreter. In addition to the payload, which was specially chosen so that it can be easily detected, all POC components were under the radar of Windows Defender.
Deep Instinct researchers expect more and more attackers to integrate VSTO into their attacks. They believe that “the national state and other highly qualified hackers will seize on this opportunity to get around the Windows trust mechanism using the actual certificates of the code signature.