OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Apr 18, 2024NewsroomIncident Response / Cyber Espionage

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015.

Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform.

"The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'" security researcher Vanja Svajcer said. "The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories."

A striking aspect of OfflRouter is its inability to spread via email, necessitating that it be propagated via other means, such as sharing documents and removable media, including USB memory sticks containing the infected documents.

These design choices, intentional or otherwise, are said to have confined the spread of OfflRouter within Ukraine's borders and to a few organizations, thus escaping detection for almost 10 years.

It's currently not known who is responsible for the malware and there are no indications that it was developed by someone from Ukraine.

Whoever it is, they have been described as inventive yet inexperienced owing to the unusual propagation mechanism and the presence of several mistakes in the source code.

OfflRouter has been previously highlighted by MalwareHunterTeam as early as May 2018 and again by the Computer Security Incident Response Team Slovakia (CSIRT.SK) in August 2021, detailing infected documents uploaded to the National Police of Ukraine's website.

The modus operandi has remained virtually unchanged, with the VBA macro-embedded Microsoft Word documents dropping a .NET executable named "ctrlpanel.exe," which then infects all files with the .DOC (not .DOCX) extension found on the system and other removable media with the same macro.

"The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum," Svajcer said.

"If the sum is zero, the document is considered already infected."

That said, the attack becomes successful only when VBA macros are enabled. Microsoft, as of July 2022, has been blocking macros by default in Office documents downloaded from the internet, prompting threat actors to seek other initial access pathways.

Another key function of the malware is to make Windows Registry modifications so as to ensure that the executable runs every time upon booting the system.

"The virus targets only documents with the filename extension .DOC, the default extension for the OLE2 documents, and it will not try to infect other filename extensions," Svajcer elaborated. "The default Word document filename extension for the more recent Word versions is .DOCX, so few documents will be infected as a result."

That's not all. Ctrlpanel.exe is also equipped to search for potential plugins (with the extension .ORP) present on removable drives and execute them on the machine, which implies the malware is expecting the plugins to be delivered via USB drives or CD-ROMs.

One the contrary, if the plugins are already present on a host, OfflRouter takes care of encoding them, copying the files to the root folder of the attached removable media with the filename extension .ORP, and manipulating them to make them hidden so that they are not visible through the File Explorer when plugging them into another device.

That said, one major unknown is whether the initial vector is a document or the executable module ctrlpanel.exe.

"The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document," Svajcer said.

"It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to .DOC before infecting documents. That way, the infection may be a bit stealthier."

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.