Microsoft Visual Studio add-ins could be used to deliver malware

A somewhat niche method is growing more popular

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Following the demise of macros inMicrosoft Officefiles, it seems that another alternative method is gaining popularity, new reports have claimed.

Cybersecurity researchers from Deep Instinct have discovered an uptick in the use ofMicrosoftVisual Studio Tools for Office (VSTO) among cybercriminals, as they build malicious Office add-ins which help them achieve persistence and run malicious code on targetendpoints.

What hackers are doing here is building .NET-basedmalware, and then embedding it into an Office add-in, a practice that requires the threat actor to be somewhat more skilled.

Protecting your business from the biggest threats onlinePerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

Bypassing antivirus

The method is hardly new but wasn’t as popular while Office macros were dominating. Now that Microsoft effectively eliminated that threat, VSTO-built threats are emerging in greater numbers. These add-ins can be sent together with Office documents, or hosted elsewhere and triggered by an Office document sent by the attackers.

Microsoft Office is now blocking macros by default>The figures that show why Microsoft is so worried about Office macros>Here’s our rundown of the best ransomware protection services right now

In other words, the victim still needs to download and run an Office file and the add-in in order to get infected, so phishing will still play a major role. That being said, the attack vector is still quite dangerous as it is capable of successfully working around antivirus programs and other malware protection services. In fact, Deep Instinct was able to create a working Proof-of-Concept (PoC) that delivered the Meterpreter payload to the endpoint. The video demonstration of the PoC can be found onthis link. The researchers said they were forced to disable Microsoft Windows Defender just to record the process.

Meterpreter, a security product used for penetration testing, was easy for antivirus products to detect, however, all the elements of the PoC were not detected, they said.

In conclusion, the researchers expect the number of VSTO-built attacks to continue rising. They also expect nation-states and other “high caliber” actors to adopt the practice as well.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Another reason to avoid edge-lit 4K TVs: they may fail faster than others, according to this report