Decade-old malware haunts Ukrainian police
More than 100 documents containing potentially confidential information related to government and police activities in Ukraine were uploaded to a publicly accessible repository recently as the result of nearly decade-old malware, an unusual case in which an old and imperfect virus has escaped detection, allowing it to persist and continue to pose a threat.
The documents, discovered as part of normal threat hunting activities carried out by researchers with Cisco’s Talos Threat Intelligence Research Team, were infected with a virus named “OfflRouter,” which dates to 2015 and has not been examined extensively in public, according to an analysis shared exclusively with CyberScoop.
In this case, OfflRouter serves as a means to deliver an executable file known as “ctrlpanel.exe,” which attempts to lower Word security settings and select additional documents to infect, Vanja Svajcer, outreach researcher with Talos, told CyberScoop in an email.
The virus can only be spread by sharing laced documents and removable media, such as USB memory sticks, and only targets files with a “.doc” file extension, suggesting either that the virus was created to target a small number of entities or specific files, or that the virus’s author made a mistake in designing the malware. Newer versions of Word use the “.docx” file extension, but the “.doc” remains in use.
Against the backdrop of a number of different hacking operations in Ukraine, the re-emergence of an old virus represents an anomaly.
“When the same old virus, over the course of a few years (most recently in February 2024) causes users to upload over 100 official police and local government documents to VirusTotal, it becomes more interesting,” Svajcer said. “It seems likely to be impacting enough people to warrant the upload of significant amounts of documents.”
The virus is also also interesting, Svajcer added, because its activity is limited to Ukraine, where Russian hacking groups are carrying out constant aggressive cyber operations ranging from destructive activity to cyberespionage against public and private entities. The researchers could not determine who was behind the operation.
Talos researchers uncovered the virus after discovering several apparently Ukrainian local government and Ukrainian National Police documents uploaded to VirusTotal, a website used by threat intelligence researchers to scan documents for malware, viruses and other threats. Further investigation revealed more than 100 documents that included potentially confidential information about police activities.
The analysis of those documents revealed they were infected with OfflRouter. A 2018 OfflRouter analysis by the Slovakian government Computer Security Incident Response Team, also based on Ukrainian National Police files, noted that it was “rare” to discover malware that “looks like the 1st stage of some cyber operation, but currently it is not publicly known what tools on removable devices are used during the next stages and what kind of organizations are targeted in the campaign.”
That police files were uploaded in 2018 and more recently “indicates that the virus managed to survive over 5 years in that environment,” Svajcer said. “We think it is important to emphasize the risk of such a virus infecting government organizations and the dangers of non-deliberate data leaks which can happen as a result. Instead of VirusTotal, the data could have been leaked to a lot less friendly organization.”
The documents could be acting as lures to target additional agencies and organizations, according to the analysis. Lure documents — which are created by adding malware or abusing automated scripting capabilities in documents to deliver malware to carry out any number of tasks — are a common tactic employed by hacking groups as initial vectors to access targeted networks.
Recent examples include the Russian-linked Gamaredon group using documents laced with information-stealing malware that targeted Ukrainian agencies as part of a cyber espionage operation. Last summer, a hacking campaign tracked as UNC1151 (which has possible links to the Belarusian government), targeted several government agencies across Ukraine and Poland using the tactic, Talos reported at the time.
An ongoing hacking campaign tracked as RomCom, with potential ties to Russia, also abused the tactic in July 2023 to gather information on Ukraine’s efforts to join NATO during the NATO Summit, researchers with BlackBerry detailed in a report at the time.
