Father
Professional
- Messages
- 2,602
- Reaction score
- 837
- Points
- 113
How did the attackers manage to disguise their malware, and what functions does it perform?
Some Ukrainian government networks have remained infected with a malicious program called OfflRouter since 2015. Researchers from Cisco Talos analyzed more than 100 infected documents, which allowed them to identify the ongoing activity of the virus on the territory of Ukraine.
A distinctive feature of OfflRouter is its inability to spread via email, instead the virus is transmitted exclusively locally, by exchanging documents on removable media, such as USB flash drives. This distribution mechanism restricts its operation to Ukraine alone, although it significantly reduces the number of affected organizations.
"The virus is still active in Ukraine and results in potentially sensitive documents being uploaded to public file repositories," said Vanya Swayser, a security researcher at Cisco Talos.
It is currently unknown who is responsible for this malware. The researchers found no indication of whether it was developed on the territory of Ukraine or by someone from outside. But whoever it is, it is described as very inventive, albeit inexperienced, due to the presence of several errors in the source code and imperfect attack coverage.
The OfflRouter malware has already been spotted several times by various security organizations. In 2018, it was first reported by the MalwareHunterTeam team, and in 2021 by CSIRT experts.SK sent information about the infected files directly to the website of Ukrainian cyber specialists.
However, three years later, the malware is still successfully operating in the country's government networks, and its malicious code and operating principle have not changed since then: VBA macros embedded in Microsoft Word documents reset the executable file when running an infected document .NET file named "ctrlpanel.exe", which then infects all files with the extension ".doc" found on the computer and connected removable media, without touching the documents ".docx" and any other files of other formats.
It is very strange that the emphasis is placed only on ".doc", because this significantly reduces the number of potentially useful documents that attackers could upload. This is probably what the Talos specialists had in mind when they talked about imperfect attack coverage.
One of the features of OfflRouter is the ability to make changes in the Windows registry to automatically launch a malicious module every time the system boots. This, together with external modules waiting on removable media, allows the virus to spread efficiently and remain unnoticed.
In addition, when documents are infected, the virus uses sophisticated methods to check already infected files, which eliminates the possibility of re-infection.
It is worth noting that in relatively recent editions of Microsoft Office, distributed in recent years, Microsoft has begun to block the launch of macros by default, from which the victim must activate them manually in order to infect his computer.
However, many organizations in Ukraine, including government ones, can still use old versions of Microsoft Office, which may mean that OfflRouter will continue to be active until cyber experts deal with this issue as closely as possible.
In addition, attackers have long used clever social engineering tricks in their attacks, such as displaying fake notifications that the contents of a file cannot be viewed before macros are enabled. Anything to circumvent Microsoft's restrictions and successfully infect the target computer.
The situation with OfflRouter clearly demonstrates the need for continuous modernization of security measures, closer cooperation between cybersecurity experts, and software updates in government agencies to counter evolving threats.
Some Ukrainian government networks have remained infected with a malicious program called OfflRouter since 2015. Researchers from Cisco Talos analyzed more than 100 infected documents, which allowed them to identify the ongoing activity of the virus on the territory of Ukraine.
A distinctive feature of OfflRouter is its inability to spread via email, instead the virus is transmitted exclusively locally, by exchanging documents on removable media, such as USB flash drives. This distribution mechanism restricts its operation to Ukraine alone, although it significantly reduces the number of affected organizations.
"The virus is still active in Ukraine and results in potentially sensitive documents being uploaded to public file repositories," said Vanya Swayser, a security researcher at Cisco Talos.
It is currently unknown who is responsible for this malware. The researchers found no indication of whether it was developed on the territory of Ukraine or by someone from outside. But whoever it is, it is described as very inventive, albeit inexperienced, due to the presence of several errors in the source code and imperfect attack coverage.
The OfflRouter malware has already been spotted several times by various security organizations. In 2018, it was first reported by the MalwareHunterTeam team, and in 2021 by CSIRT experts.SK sent information about the infected files directly to the website of Ukrainian cyber specialists.
However, three years later, the malware is still successfully operating in the country's government networks, and its malicious code and operating principle have not changed since then: VBA macros embedded in Microsoft Word documents reset the executable file when running an infected document .NET file named "ctrlpanel.exe", which then infects all files with the extension ".doc" found on the computer and connected removable media, without touching the documents ".docx" and any other files of other formats.
It is very strange that the emphasis is placed only on ".doc", because this significantly reduces the number of potentially useful documents that attackers could upload. This is probably what the Talos specialists had in mind when they talked about imperfect attack coverage.
One of the features of OfflRouter is the ability to make changes in the Windows registry to automatically launch a malicious module every time the system boots. This, together with external modules waiting on removable media, allows the virus to spread efficiently and remain unnoticed.
In addition, when documents are infected, the virus uses sophisticated methods to check already infected files, which eliminates the possibility of re-infection.
It is worth noting that in relatively recent editions of Microsoft Office, distributed in recent years, Microsoft has begun to block the launch of macros by default, from which the victim must activate them manually in order to infect his computer.
However, many organizations in Ukraine, including government ones, can still use old versions of Microsoft Office, which may mean that OfflRouter will continue to be active until cyber experts deal with this issue as closely as possible.
In addition, attackers have long used clever social engineering tricks in their attacks, such as displaying fake notifications that the contents of a file cannot be viewed before macros are enabled. Anything to circumvent Microsoft's restrictions and successfully infect the target computer.
The situation with OfflRouter clearly demonstrates the need for continuous modernization of security measures, closer cooperation between cybersecurity experts, and software updates in government agencies to counter evolving threats.
