Hackers use Microsoft Visual Studio add-ons as weapons to spread malware (16th February 2023)

Ref# AL2023_15 | Date: Feb 16th 2023


After the disappearance of macros in Microsoft Office files, recent reports say that a different alternative way is becoming more and more popular.Security experts caution that malicious Office add-ins could lead to an increase in hackers” use of Microsoft Visual Studio Tools for Office (VSTO) to achieve persistence and executing malware on a target machine. 


This new attack vector targeting the visual studio code extensions marketplace could be leveraged to upload rogue extensions masquerading as their legitimate counterparts with the goal of mounting supply chain attacks. Developers can enhance their workflows by adding programming languages, debuggers, and tools to the VS Code source-code editor using VS Code extensions, which are curated through a Microsoft-provided marketplace. This tactic might serve as a starting point for an assault. 

How it works 

This method is an alternative to inserting VBA macros that download malware from the internet into documents. Threat actors switched to using archives (.ZIP,.ISO), shortcut files (.LNK), and XL4 macros in Office when Microsoft declared that it would, by default, prohibit the execution of these macros. However, leveraging VSTO opens a path for attackers to create NET-based malware and incorporate it into the Office add-in. This method involves persuading a victim to download a malicious extension using social engineering techniques. 

The verification badge given to authors was also found to be easily circumvented, as the checkmark merely shows that the extension publisher is the true owner of the domain. To put it another way, a bad actor may purchase any domain, register it to receive the verified checkmark, and then upload a trojanized extension with the same name as a genuine one to the marketplace. 


Microsoft has stated that they will check extensions for viruses and malware before they are submitted to the Marketplace to help keep customers safe. They will also provide tools to flag malicious extensions identified in the marketplace. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Hackers use Microsoft Visual Studio add-ons as weapons to spread malware.pdf