OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

• During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 
• The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that’s delivered via the .NET interop functionality to infect Word documents. 
• The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active …

cisco cisco talos code confidential documents exercise hunting infect information investigation malicious may offlrouter organizations presence results talos threat ukraine ukrainian upload vba virus virustotal