Choose Ukrainian authorities networks have remained contaminated with a malware known as OfflRouter since 2015.
Cisco Talos stated its findings are based mostly on an evaluation of over 100 confidential paperwork that had been contaminated with the VBA macro virus and uploaded to the VirusTotal malware scanning platform.
“The paperwork contained VBA code to drop and run an executable with the title ‘ctrlpanel.exe,'” safety researcher Vanja Svajcer stated. “The virus continues to be lively in Ukraine and is inflicting doubtlessly confidential paperwork to be uploaded to publicly accessible doc repositories.”
A putting facet of OfflRouter is its lack of ability to unfold through e mail, necessitating that it’s propagated through different means, equivalent to sharing paperwork and detachable media, together with USB reminiscence sticks containing the contaminated paperwork.
These design decisions, intentional or in any other case, are stated to have confined the unfold of OfflRouter inside Ukraine’s borders and to some organizations, thus escaping detection for nearly 10 years.
It is presently not identified who’s accountable for the malware and there are not any indications that it was developed by somebody from Ukraine.
Whoever it’s, they’ve been described as creative but inexperienced owing to the bizarre propagation mechanism and the presence of a number of errors within the supply code.
OfflRouter has been beforehand highlighted by MalwareHunterTeam as early as Might 2018 and once more by the Laptop Safety Incident Response Workforce Slovakia (CSIRT.SK) in August 2021, detailing contaminated paperwork uploaded to the Nationwide Police of Ukraine’s web site.
The modus operandi has remained nearly unchanged, with the VBA macro-embedded Microsoft Phrase paperwork dropping a .NET executable named “ctrlpanel.exe,” which then infects all recordsdata with the .DOC (not .DOCX) extension discovered on the system and different detachable media with the identical macro.
“The an infection iterates by means of a listing of the doc candidates to contaminate and makes use of an progressive technique to examine the doc an infection marker to keep away from a number of an infection processes – the operate checks the doc creation metadata, provides the creation instances, and checks the worth of the sum,” Svajcer stated.
“If the sum is zero, the doc is taken into account already contaminated.”
That stated, the assault turns into profitable solely when VBA macros are enabled. Microsoft, as of July 2022, has been blocking macros by default in Workplace paperwork downloaded from the web, prompting menace actors to hunt different preliminary entry pathways.
One other key operate of the malware is to make Home windows Registry modifications in order to make sure that the executable runs each time upon booting the system.
“The virus targets solely paperwork with the filename extension .DOC, the default extension for the OLE2 paperwork, and it’ll not attempt to infect different filename extensions,” Svajcer elaborated. “The default Phrase doc filename extension for the newer Phrase variations is .DOCX, so few paperwork shall be contaminated because of this.”
That is not all. Ctrlpanel.exe can also be geared up to seek for potential plugins (with the extension .ORP) current on detachable drives and execute them on the machine, which suggests the malware is anticipating the plugins to be delivered through USB drives or CD-ROMs.
One the opposite, if the plugins are already current on a number, OfflRouter takes care of encoding them, copying the recordsdata to the foundation folder of the hooked up detachable media with the filename extension .ORP, and manipulating them to make them hidden in order that they aren’t seen by means of the File Explorer when plugging them into one other gadget.
That stated, one main unknown is whether or not the preliminary vector is a doc or the executable module ctrlpanel.exe.
“The benefit of the two-module virus is that it may be unfold as a standalone executable or as an contaminated doc,” Svajcer stated.
“It could even be advantageous to initially unfold as an executable because the module can run standalone and set the registry keys to permit execution of the VBA code and altering of the default saved file codecs to .DOC earlier than infecting paperwork. That manner, the an infection could also be a bit stealthier.”
