OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Summary: The OfflRouter malware has been infecting select Ukrainian government networks since 2015, spreading through infected documents and removable media. The malware is still active and has been uploading potentially confidential documents to publicly accessible repositories.

Threat Actor: Unknown | OfflRouter malware
Victim: Ukrainian government networks | Ukrainian government

Key Points:

  • The OfflRouter malware has remained undetected for almost 10 years due to its unique propagation mechanism and limited spread within Ukraine’s borders.
  • The malware infects Microsoft Word documents with VBA macros, dropping a .NET executable named “ctrlpanel.exe” to infect other files with the .DOC extension.
  • OfflRouter is unable to spread via email and requires manual user intervention to send infected documents as email attachments.
  • The malware also modifies the Windows Registry to ensure the executable runs on system boot.
  • It is currently unknown who is responsible for the malware, but they have been described as inventive yet inexperienced.
OfflRouter Malware

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015.

Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform since 2018. More than 20 such documents have been uploaded since 2022.

“The documents contained VBA code to drop and run an executable with the name ‘ctrlpanel.exe,'” security researcher Vanja Svajcer said. “The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.”

A striking aspect of OfflRouter is its inability to spread via email, necessitating that it be propagated via other means, such as sharing documents and removable media, including USB memory sticks containing the infected documents.

“It would require manual user intervention to send an infected document as an email attachment,” a Talos researcher told The Hacker News. “That could be the reason why the virus stayed under the radar for such a long time as it is not very noisy.”

Cybersecurity

“We can only speculate as to why there is no automated spreading by email. That said, if the malware was attached to a document sent via email, the virus would still attempt to infect files located on removable media.”

These design choices, intentional or otherwise, are said to have confined the spread of OfflRouter within Ukraine’s borders and to a few organizations, thus escaping detection for almost 10 years.

It’s currently not known who is responsible for the malware and there are no indications that it was developed by someone from Ukraine.

Whoever it is, they have been described as inventive yet inexperienced owing to the unusual propagation mechanism and the presence of several mistakes in the source code.

OfflRouter has been previously highlighted by MalwareHunterTeam as early as May 2018 and again by the Computer Security Incident Response Team Slovakia (CSIRT.SK) in August 2021, detailing infected documents uploaded to the National Police of Ukraine’s website.

The modus operandi has remained virtually unchanged, with the VBA macro-embedded Microsoft Word documents dropping a .NET executable named “ctrlpanel.exe,” which then infects all files with the .DOC (not .DOCX) extension found on the system and other removable media with the same macro.

“The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum,” Svajcer said.

OfflRouter Malware

“If the sum is zero, the document is considered already infected.”

That said, the attack becomes successful only when VBA macros are enabled. Microsoft, as of July 2022, has been blocking macros by default in Office documents downloaded from the internet, prompting threat actors to seek other initial access pathways.

While Microsoft’s preventive measure limits the success of such macro-based attacks, Cisco Talos told the publication that many organizations in the affected region, including government entities, are not using up-to-date Office versions.

“The main issue we tried to raise is not that a virus is active and affects Microsoft Office, but that users can unknowingly upload confidential documents to public repositories,” it said. “Users need to double check for the malware infection.”

Cybersecurity

Another key function of the malware is to make Windows Registry modifications so as to ensure that the executable runs every time upon booting the system.

“The virus targets only documents with the filename extension .DOC, the default extension for the OLE2 documents, and it will not try to infect other filename extensions,” Svajcer said. “The default Word document filename extension for the more recent Word versions is .DOCX, so few documents will be infected as a result.”

That’s not all. Ctrlpanel.exe is also equipped to search for potential plugins (with the extension .ORP) present on removable drives and execute them on the machine, which implies the malware is expecting the plugins to be delivered via USB drives or CD-ROMs.

One the contrary, if the plugins are already present on a host, OfflRouter takes care of encoding them, copying the files to the root folder of the attached removable media with the filename extension .ORP, and manipulating them to make them hidden so that they are not visible through the File Explorer when plugging them into another device.

That said, one major unknown is whether the initial vector is a document or the executable module ctrlpanel.exe.

“The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document,” Svajcer said.

“It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to .DOC before infecting documents. That way, the infection may be a bit stealthier.”

Source: https://thehackernews.com/2024/04/offlrouter-malware-evades-detection-in.html


“An interesting youtube video that may be related to the article above”