As per recent media reports, certain government networks in Ukraine have been infected with the Offlrouter malware since 2015. The Offlrouter malware Ukraine has managed to escape detection for nearly a decade now. However, VBA macro malware has recently come under the radar of Cisco Talos. 

In the article, we will dive into the details of the Offlrouter malware Ukraine and what the threat implies for cybersecurity practices.

Offlrouter Malware Ukraine: Initial Discovery

Based on the analysis report, Cisco Talos has stated that its analysis was conducted on the basis of 100 confidential documents that were infected with the VBA macro malware. The report further stated that the malware was uploaded to VirusTotal malware scanning platform in 2018. 

Moreover, 20 additional documents of a similar nature have been uploaded since 2022. Providing further insights into the Offlrouter malware Ukraine discovery, an excerpt from the malware reads:

“The uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.“

Infection Mechanism of the OfflRouter Malware

When it comes to spreading the malware, an insight worth noting here is that the Offlrouter malware can’t be distributed via email. Therefore, physical data transfer and sharing devices such as USBs containing the infected documents have to be used for distribution purposes. 

Researchers claim this is the reason why the malware was able to evade detection for nearly a decade. As far as the infection process is concerned, The VBA macro malware, which is integrated into a Word file, drops a .NET executable named “ctrlpanel.exe.” 

Once the malicious executable is activated, it infects all the files on user systems that have either the .DOC or .DOCX extension. The infection also continues to spread onto files with the same extensions that are stored on a removable device connected to the system. 

What makes the Offlrouter malware a severe threat is that it has the ability to modify the Windows Registry. This ensures that the malware automatically executes its malicious functionalities everytime the system is booted. 

Shedding light on its distribution mechanism, cybersecurity researchers have stated that:

“We can only speculate as to why there is no automated spreading by email. That said, if the malware was attached to a document sent via email, the virus would still attempt to infect files located on removable media.“

Cybersecurity Concerns and Implications 

The prevalence of malware with such detection evasion capabilities being found in government networks raises severe cybersecurity concerns. A key concern researchers currently have pertains to the malware’s ability of executing plugins. To do this, the malware uses the .ORP on removable devices. 

Such capabilities when initiated make the malware even more harmful as it can then be used for data exfiltration. These threats serve as a stark reminder as to why cybersecurity practices should be paramount. 

Conclusion 

Recent media reports have brought to light the OfflRouter Malware Ukraine. It’s a severe cyberthreat that has prevailed and evaded detection in Ukraine’s government networks. The VBA macro malware is distributed using Word documents, can modify the Windows Registry, and can be used for data exfiltration. 

Given this, it can be stated that both businesses and government organisations should adopt proactive cybersecurity measures to reduce their exposure to risk and be more resilient. 

The sources for this piece include articles in The Hacker News and Cisco Talos. 

The post OfflRouter Malware Ukraine: Govt Network Breach Since 2015 appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/offlrouter-malware-ukraine-govt-network-breach-since-2015/