Elimination Of Offlrouter Malware Discovery In Ukraine For Nearly A Decade

Since 2015, some Ukrainian government networks have been infiltrated with malware. This malware is recognized as OfflRouter.

Cisco Talos stated that the results of this virus are based on an investigation of over 100 private documents. The VBA macro virus was published on the VirusTotal malware scanning site in 2018. Over 20 similar papers have been submitted since 2022.

The security researcher Vanja Svajcer explained, "The documents contained VBA code to drop and run an executable named 'ctrlpanel.exe. The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories."

OfflRouter's inability to transmit via email necessitates its propagation through other ways. These ways can be - document sharing and external devices. It requires you to know that the USB memory sticks with infected documents.

A Talos researcher told The Hacker News, "It would require manual user intervention to send an infected document as an email attachment.” "That could be the reason why the virus stayed under the radar for such a long time as it is not very noisy."

"We can only conjecture on why there is no systematic spread via email. Sometimes, the malware is linked to an email document. In this situation, the virus would still continue to infect items on removable storage.

Nobody knows if these architectural decisions are deliberate or not. The surprising fact is that they are alleged to have limited OfflRouter's expansion. This is why they are limited to Ukraine's borders and a few organizations. As a result, it becomes easy to allow it to go undetected for over ten years.

Presently, it is not known who is responsible for the virus. One of the surprising facts is that there is not even a single evidence regarding its creation from Ukraine.

No matter what it is, you can regard them as creative. Plus, they can also be creative or unskilled just because of the specific propagation procedure. It is also influenced by the existence of multiple errors in the source code.

In May 2018, MalwareHunterTeam recognized OfflRouter. Later on, the Computer Security Incident Response Team Slovakia (CSIRT.SK)  identified it in August 2021. For this, they used infected papers and submitted them to the National Police of Ukraine's website.

The method of operation has remained largely identical. It is all because of  VBA technique-embedded Microsoft Word documents. These documents drop a.NET executable named "ctrlpanel.exe." Over time, it subsequently infects any files with the.DOC (not.DOCX) extension. Besides, it was also discovered on the system and other removable storage devices with the macro.

As per the opinion of Svajcer, "The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum.”

"If the sum is zero, the document is considered already infected."

The attack is only successful when VBA macros are activated. But, in July 2022, Microsoft started disabling macros by default in Office documents. It is possible only by accessing macros from the internet. For this, it also requires to force threat actors to seek alternative initial access channels.

Microsoft's preventive action reduces the efficacy of such macro-based assaults. Cisco Talos warned the outlet that many firms in the afflicted region, including government bodies, do not use the most recent Office versions.

As per the statement, "The main issue we tried to raise is not that a virus is active and affects Microsoft Office. But,  in reality, users can unknowingly upload confidential documents to public repositories." "It really requires users to double check for the malware infection."

There is another important feature of the virus. It is about how it modifies the Windows Registry. This way, it becomes more convenient to guarantee that the executable starts each time the machine boots.

In the words of Svajcer, "The virus only affects documents with the filename extension.DOC is the default extension for OLE2 documents, and it will not attempt to infect other filename extensions." "The default Word document filename extension is for the more recent Word versions. It is named as - .DOCX. As a result,  a few documents will be infected."

That is not all. Ctrlpanel.exe may also look for prospective plugins using the.ORP extension. It is concerned with portable devices and running them on the computer. After that, it implies that the virus expects the plugins to be transmitted via USB drives or CD-ROMs.

On the contrary, if the plugins already exist on a host, OfflRouter encodes them and copies the files to the root folder of the associated portable media. For this, the filename extension.ORP was used. Over time, you could alter them and also conceal them. That way, they will be no longer viewable in File Explorer when connected to another device.

It is the main point to note that this thing is not clear if the first vector is a document or the executable module ctrlpanel.exe.

Svajcer said in a statement, "The advantage of the two-module virus can be spread as a standalone executable or as an infected document."

“ Additionally, you may prefer it for distributing the module as an executable. This way, you can run it independently and also configure the registry keys. Once the configuration is done, it will be easy for you to activate the VBA code. Apart from this, you can also change the default saved file type to.DOC before it infects your documents. As an outcome, the infection could be a little stealthier."