Microsoft Visual Studio exploited in malware attacks

BleepingComputer reports that more threat actors have been leveraging Microsoft Visual Studio Tools for Office to enable .NET-based malware integration within Office add-ins after Microsoft moved to block VBA and XL4 macro execution in Office by default. While the local VSTO method, which does not have trust-related security mechanism bypass requirements for add-in code execution, is more favorable among attackers, some threat actors have also used remote VSTO add-ins, according to a Deep Instinct report. Attacks using VSTO involved a "custom.xml" parameter enabling add-in tracking and installation, with the add-in payload's dependencies usually stored alongside a document in an ISO container. The report showed that opening the document would trigger an add-in installation prompt, with an attack targeted at Spanish users found to result in the execution of an encoded and compressed PowerShell script. Meanwhile, threat actors in an attack using a remote VSTO-based add-in configured the payload to facilitate the download of a password-protected ZIP archive.