Lately I’ve been playing around with Visual Studio Tools for Office (VSTO) as a persistent foothold. VSTOs are Microsoft Office add-ins that can enhance the user’s experience or automate tasks. Enabled add-ins are run every time the target Office application is started, a perfect persistence point. VSTOs can be written in C# or VB, and if done correctly, do not require administrative privileges to install.
Because of this event driven nature and the non-admin installation, I think VSTOs could be a decent addition to a phishing installation package. I’ve put together a proof of concept which can be found at https://github.com/ThunderGunExpress/ThunderVSTO
What This is Not
A complete installation package. This persistent VSTO would need to be included in some sort of a larger installation package. Fortunately, I plan on posting about this at a later date.
How to Defend
- Restrict the user’s ability to install Outlook add-ins
- Don’t install software from untrusted sources
- Audit HKU and HKLM\Software\Microsoft\Office\**Office App**\Addins for new installations
Sysinternals Autoruns checks for Office add-ins; however, unless I’m missing something, it only displays the HKLM\Software\Microsoft\Office\**Office App**\Addins. Personally, I would target HKU instead (non-admin) which is not tracked by Autoruns.