Faulty decade-old OfflRouter virus targets organizations in Ukraine

Researchers have discovered more than 100 Ukrainian documents uploaded to a public repository which were infected with malicious code. 

The documents, potentially containing confidential information related to a Ukrainian local government organization and the national police, were found on VirusTotal by analysts from Cisco Talos and, according to researchers, may be used as lures to infect other organizations.

In a report released Wednesday, Cisco Talos said that the documents were infected with a little-known virus named OfflRouter, which dates back to 2015. The virus remains active in Ukraine and may pose a threat to organizations’ confidential data.

“We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code,” researchers said.

The malware design may have limited its spread to just a few organizations in Ukraine while allowing it to remain active and undetected for a long time.

OfflRouter was created to deliver an executable file, which runs when a document is opened. The virus only targets victims’ files with a .doc extension. Given that the filename extension for more recent Word versions is .docx, it is possible that the developer made a mistake or that the malware was specifically created to target a few organizations in Ukraine that still use the .doc extension.

Although the virus is active in Ukraine, there are no indications that it was created there, researchers said.

The malware was previously reported by the Slovakian computer security incident response team (CSIRT), which stated that the deployment of OfflRouter was likely the first stage of a cyber operation in Ukraine. 

The newly discovered infected documents are written in Ukrainian, which may have contributed to the fact that the virus is rarely seen outside Ukraine, according to Cisco Talos.

The malware can only be spread by sharing documents and removable media, such as USB memory sticks with infected documents. The inability to spread by email is another likely reason why the virus stayed confined to Ukraine, researchers said.

The researchers couldn’t identify the hackers behind the virus operation but said they've previously seen files uploaded to open-source repositories that were potential lures to target government and military organizations, including in Ukraine.

For example, malicious document lures with externally referenced templates written in the Ukrainian language are used by the Russia-backed Gamaredon group as an initial infection vector. 

Researchers have also previously discovered military-themed lures in Ukrainian and Polish, mimicking official PowerPoint and Excel files, to launch the so-called Picasso loader, which installs remote access trojans onto victims' systems.