BleepingComputer reports that more threat actors have been leveraging Microsoft Visual Studio Tools for Office to enable .NET-based malware integration within Office add-ins after Microsoft moved to block VBA and XL4 macro execution in Office by default.
While the local VSTO method, which does not have trust-related security mechanism bypass requirements for add-in code execution, is more favorable among attackers, some threat actors have also used remote VSTO add-ins, according to a Deep Instinct report.
Attacks using VSTO involved a "custom.xml" parameter enabling add-in tracking and installation, with the add-in payload's dependencies usually stored alongside a document in an ISO container. The report showed that opening the document would trigger an add-in installation prompt, with an attack targeted at Spanish users found to result in the execution of an encoded and compressed PowerShell script.
Meanwhile, threat actors in an attack using a remote VSTO-based add-in configured the payload to facilitate the download of a password-protected ZIP archive.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds