Security researchers from Kaspersky Lab are warning of targeted attacks with InPage zero-day against a number of organizations in Asia.
According to experts from Kaspersky Lab, a number of organizations in Asia have been targeted with InPage zero-day.
InPage is a word processor widely used in Asia because is supports languages such as Urdu, Persian, Pashto and Arabic. Its user base includes academies, libraries, government organizations, and of course media companies.
Vulnerabilities in such kind of software could be useful to launch targeted attacks against specific groups of people. Something similar occurred last year when researchers from FireEye pointed out the North Korea for a number of attacks against the South Korea relying a 0day in the South most popular Word processor, the Hangul Word Processor (HWP).
The investigation started in September 2016, when the experts analyzing a new wave of attacks spotted an interesting target which appeared to constantly receive spear phishing messages.
The malware researchers who investigated the attacks discovered that threat actors used a specific exploit file that had an InPage (.inp) extension. The file embedded a shellcode that was triggered on several InPage versions, the malicious code is able to decrypt itself and an EXE file contained in the decoy document.
This is the first time that exploits for InPage have previously been mentioned in public.
“Since no exploits for InPage have previously been mentioned in public, we took a closer look to see if the document was malicious or not. Further analysis indicated the file contained shellcode, which appeared to decrypt itself and further decrypt an EXE file embedded in the document.” explained Kaspersky researcher Denis Legezo.
“InPage uses its own proprietary file format that is based on the Microsoft Compound File Format. The parser in the software’s main module ‘inpage.exe’ contains a vulnerability when parsing certain fields. By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution,”
The attacks targeted various government and financial institutions in Asia and Africa, the experts noticed that hackers leveraged the InPage zero-day to deliver various backdoors and keyloggers.
“So far, victims of these attacks have been observed in Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.” continues Legezo.
Kaspersky tried to report the issue to InPage without success.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.