VBA macros

A new study reveals that 87 percent of the ransomware found on the dark web can be delivered via malicious macros in order to infect targeted systems.

The research from Venafi, in partnership with criminal intelligence provider, Forensic Pathways, looked at 35 million dark web URLs and forums to uncover a thriving ransomware community with highly damaging macro-enabled strains readily available.

VBA macros in Microsoft Office are an incredibly common means of delivering malware, and this is precisely why Microsoft made an announcement earlier this year that macros would be blocked by default. But now the company has changed its mind.

The change will not be permanent, however. Microsoft still plans to block macros in documents obtain from the internet -- it's just not quite clear when. The company says that the change of heart is a result of user feedback, and while macros will remain enabled by default for the time being, this will change at some point in the future; it's just not happening as soon as we thought.

Several older botnets have seen a resurgence in activity in the first quarter of 2022, including Mirai, STRRAT and Emotet, according to the latest threat report from Nuspire.

Mirai, known for co-opting IoT devices to launch DDoS attacks and first seen in 2016, showed a spike in activity in February of this year. This corresponded with the discovery of Spring4Shell, a zero-day attack on popular Java web application framework, Spring Core. The attack allows for unauthenticated remote code execution, and data show Mirai exploited this vulnerability to its botnet.

In so many ways macros have made life easier for Office users, helping to automated and speed up a variety of tasks. But they also pose a gigantic security threat, particularly in documents downloaded from the internet.

Now Microsoft is taking action, and will block internet macros by default in Office. The reason for the move is the widespread exploitation of VBA macros by bad actors to spread malware.