Cisco Talos, a US cybersecurity firm, said it detected the OfflRouter virus in Ukrainian networks embedded in text documents “with potentially confidential information” during a “threat-hunting exercise.”

The virus remains active in Ukraine and could potentially upload documents of unsuspecting users whose computer is infected with the virus, it said.

The firm said the virus was embedded in legitimate documents – often originating from government agencies – as “lures” by adding “content that will trigger malicious behavior,” in a bid to entice unsuspecting governmental users to download and share the infected documents in order to target government and military organizations.

While it’s known that the virus would infect other files in the user’s computer, it is unclear how the document would be shared publicly once it’s been infected based on Cisco Talos’ report.

Advertisement

“The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal [a cybersecurity monitoring site] from Ukraine and the documents’ upload dates,” read the firm’s blog post on Wednesday, April 17.

Cisco Talos shared a screenshot of one file that originates from the National Police of Ukraine uploaded by the virus to public domains, though Kyiv Post is unable to verify the confidential nature of the file due to the content being redacted.

ISW Russian Offensive Campaign Assessment, October 14, 2024
Other Topics of Interest

ISW Russian Offensive Campaign Assessment, October 14, 2024

Latest from the Institute for the Study of War.

However, Cisco Talos said the virus “has no capabilities to spread by email” and is only capable of spreading through file sharing and physical removable media, such as USB drives embedded with infected documents.

Moreover, the virus’s flawed design and choice of Ukrainian documents have led to its confinement within the country, whose low infection rates also allowed it to remain undetected for some time. 

Advertisement

“The newly discovered infected documents are written in Ukrainian, which may have contributed to the fact that the virus is rarely seen outside Ukraine [...] The inability to spread by email and the initial documents in Ukrainian are additional likely reasons the virus stayed confined to Ukraine,” reads the blog post.

However, the firm said that based on evidence uncovered during the debugging process, the virus likely did not originate from Ukraine.

“Even the debugging database string used to name the virus ‘E:\Projects\OfflRouter2\OfflRouter2\obj\Release\ctrlpanel.pdb’ present in the ctrlpanel.exe does not point to a non-English speaker,” reads the blog post.

Cisco Talos added that the abundance of mistakes in its codes and oversight in design – such as the virus only targeting older, less common .doc file extension as opposed to the more popular .docx extension, meant that the inventor was an “inexperienced developer.”

“We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code.

Advertisement

“This is a possible mistake by the author, although there is a small probability that the malware was specifically created to target a few organizations in Ukraine that still use the .doc extension, even if the documents are internally structured as Office Open XML documents,” reads the blog post. 

To suggest a correction or clarification, write to us here
You can also highlight the text and press Ctrl + Enter