The OfflRouter virus has persisted in Ukrainian networks since 2015, primarily spread through infected documents. Cisco Talos‘ analysis reveals a unique propagation method, as the malware lacks the ability to spread via email, instead relying on manual intervention for transmission. Despite its decade-long presence, the origins of OfflRouter and its creators remain unidentified, adding to the mystery surrounding its development and deployment.
Infected documents containing VBA code are the primary carriers of OfflRouter, dropping a .NET executable named “ctrlpanel.exe” upon execution. This executable then infects all .DOC files on the system and other removable media, with the malware designed to target specifically this file extension. Additionally, OfflRouter modifies the Windows Registry to ensure the executable runs on system boot, ensuring persistence and further propagation.
One notable feature of OfflRouter is its encoding and manipulation of potential plugins present on removable drives, expanding its reach beyond initial document infections. By hiding these files and executing them on the host system, the malware exhibits a level of sophistication in its propagation strategy. However, the exact initial vector of the infection remains uncertain, whether through documents or the executable module “ctrlpanel.exe,” posing challenges for detection and mitigation efforts.
Despite preventive measures by Microsoft to block macros in Office documents downloaded from the internet, many organizations in the affected region, including government entities, still utilize outdated Office versions, leaving them vulnerable to such attacks. Cisco Talos emphasizes the importance of user vigilance and updated security measures to prevent unwitting uploads of confidential documents to public repositories.
