VSTO and Malicious Office Docs
These are the voyages of a security enthusiast. Its continuing mission: to explore strange new knowledge. To seek out new ideas and new technics. To boldly go where no one has gone before!
Last updated
These are the voyages of a security enthusiast. Its continuing mission: to explore strange new knowledge. To seek out new ideas and new technics. To boldly go where no one has gone before!
Last updated
It's not a bug, it's a feature!
What is the Visual Studio Tools for Office (VSTO)?
Visual Studio Tools for Office (VSTO) is a set of development tools available in the form of a Visual Studio add-in (project templates) and a runtime that allows Microsoft Office 2003 and later versions of Office applications to host the .NET Framework Common Language Runtime (CLR) to expose their functionality via .NET.
Any Malicious Payload can be emplaced into any office documents using VSTO. You can find detailed explanations in the below links.
Quick practice in a YouTube video:
PS:
More powerful than Macro and formula injection! You can write anything with C# smoothly.
It can update itself and .NET libraries in every execution. (OMG! It can be a self-updated dropper!)
EDRs can not detect in the same way as macros.
Prevention:
Disable all add-ins for office in the Group Policy (This may not be useful for large companies.)
Require that application add-ins are signed by Trusted Publisher in the Group Policy. (There are many bypass ways for this(^^,) )
I have not done it yet, but behavioral analysis can be done for this situation. Also, C# projects could be restricted with the company signature. If a subprocess of a C# project compiling and executing without a signature is observed under an office document, it can be blocked by the EDR.
Also, the below blog post should be read to create a prevention scenario against this kind of phishing attack.
-EOF
