Threat Research

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

Talos

Cisco Talos found over 100 Word documents from Ukraine infected with the long-running OfflRouter virus, which uses VBA macros to drop a .NET executable (ctrlpanel.exe) that leverages Office Interop to inject malicious VBA into other documents. The multi-module virus spreads via shared documents and removable media, targets .doc files, and includes a plugin loader that decodes .orp files from removable drives. #OfflRouter #CtrlpanelExe

Keypoints

  • Cisco Talos discovered 100+ Ukrainian Word documents infected with OfflRouter, a multi-component VBA/.NET virus active since 2015.
  • The VBA macro in infected documents writes and launches ctrlpanel.exe by appending numeric values to a file via an overridden property setter.
  • ctrlpanel.exe is a .NET module that uses Microsoft.Office.Interop.Word to programmatically generate and insert VBA code into target .doc files.
  • The malware searches mounted drives (root-only for fixed drives, recursive for removable) using Directory.GetFiles(“*.doc”) and also infects recently opened documents.
  • Infection marks are set by zeroing file creation time components; the module attempts persistence via a Run registry key but the implementation contains a path bug that often breaks it.
  • The PluginClass looks for .orp files on removable media, Base64-decodes names and contents, writes decoded plugins to C:UsersPublictools and executes them.
  • IOCs include the ctrlpanel.exe hash, multiple infected document hashes, and the mutex name ctrlpanelapppppp; Talos published a GitHub IOC list.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – OfflRouter requires user-enabled macros to start the infection; [‘The VBA part of the virus runs when a document is opened, provided macros are enabled, and it contains code to drop and run the executable module ctrlpanel.exe.’]
  • [T1566.001] Phishing: Spearphishing Attachment – Documents are lures resembling legitimate local government/police files and can be used as initial vectors; [‘Lures are created from legitimate documents by adding content that will trigger malicious behavior and are often used by threat actors.’]
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – VBA embedded in Word drops and reconstructs the ctrlpanel.exe payload and executes it; [‘Every code line that looks like an assignment appends the assigned value to the end of the file, and that is how the executable module is written.’]
  • [T1112] Modify Registry – The module attempts to set a Run key for persistence but fails due to using only the folder path instead of full executable path; [‘it attempts to set the value Ctrlpanel of the registry key HKLMSoftwareMicrosoftWindowsCurrentVersionRun so that it runs on the Windows boot… the string only contains the folder where the ctrlpanel.exe is found and not its full path, which makes this auto-start measure fail.’]
  • [T1083] File and Directory Discovery – The .NET module enumerates drives and uses Directory.GetFiles with the pattern “*.doc” to find target documents, with differing recursion for fixed vs. removable drives; [‘The infection background worker enumerates the mounted drives and attempts to find documents to infect by using the Directory.Getfiles function with the string search pattern “*.doc” as a parameter.’]
  • [T1027] Obfuscated Files or Information – The .NET component encodes the executable into numeric sequences and generates VBA code chunks (CheckHashX), making the embedded module non-contiguous and harder to detect; [‘the executable mode is not stored as a contiguous block, but as a sequence of integer values that look like being assigned to a variable.’]
  • [T1106] Native API – The .NET module uses Office Interop (Microsoft.Vbe.Interop and Microsoft.Office.Interop.Word) to programmatically access and modify a document’s VBA project for infection; [‘the Office Interop classes of .NET VBProject interface Microsoft.Vbe.Interop and the Microsoft.Office.Interop.Word class that exposes the functionality of the Word application.’]
  • [T1485] Data Destruction (Integrity Impact) – The virus converts OLE2 .doc files to .docx with macros and alters file metadata (creation times) as an infection marker, which can impact data integrity; [‘If the document to be infected is created in the Word 97-2003 binary format (OLE2), the document will be saved with the same name in Microsoft Office Open XML format with enabled macros (DOCX).’]

Indicators of Compromise

  • [File hash – ctrlpanel.exe] .NET module – 10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8 (ctrlpanel.exe)
  • [Infected document hashes] examples – 2260989b5b723b0ccd1293e1ffcc7c0173c171963dfc03e9f6cd2649da8d0d2c, 2b0927de637d11d957610dd9a60d11d46eaa3f15770fb474067fb86d93a41912, and 2 more hashes
  • [Mutex] process mutex – ctrlpanelapppppp (used to prevent multiple module instances)
  • [IOC repository] Talos IOC list – https://raw.githubusercontent.com/Cisco-Talos/IOCs/main/2024/04/offlrouter-virus-causes-upload-confidential-documents-to-virustotal.txt

OfflRouter infects a document when its VBA macro runs: the macro reconstructs and writes an executable (C:UsersPublicctrlpanel.exe) by appending numeric values via an overridden property setter, then launches it. Once active, ctrlpanel.exe creates a mutex (ctrlpanelapppppp), attempts to set a Run registry key for persistence (failing in many cases due to using only the folder path), and starts two timed background workers—VBAClass for generating and injecting VBA into target documents and PluginClass for plugin discovery.

The .NET module uses Microsoft.Office.Interop.Word and VBProject interop to open Word documents, convert OLE2 .doc files to DOCX with macros enabled, and insert dynamically generated VBA code. The code generator (MyScript) reads the ctrlpanel.exe binary 32-bit chunk by 32-bit chunk, encodes these values as decimal strings and CheckHashX subroutines (one per ~4KB) to produce the VBA payload; repeating values are collapsed into loops to reduce generated code size. Infection detection is avoided by checking a creation-time-based marker (summing creation timestamps) and then zeroing hour/minute/second/millisecond to mark infected files.

The malware locates targets using Directory.GetFiles(“*.doc”)—searching only root folders on fixed drives, recursively on removable drives—and also attempts to infect recently opened documents to improve success. Plugin handling is notable: the PluginClass looks for .orp files on attached removable media, Base64-decodes the filename and content, writes decoded executables to C:UsersPublictools (or writes .orp files to media when exporting), sets hidden/system attributes, and executes decoded plugins—enabling additional payloads via physical media rather than email. Read more: https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confidential-documents-to-virustotal/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint