Threat actors leverage InPage Zero-Day in targeted attacks in Asia

Share this…

Security researchers from Kaspersky Lab are warning of targeted attacks with InPage zero-day against a number of organizations in Asia.

According to experts from Kaspersky Lab, a number of organizations in Asia have been targeted with InPage zero-day.

InPage is a word processor widely used in Asia because is supports languages such as Urdu, Persian, Pashto and Arabic. Its user base includes academies, libraries, government organizations, and of course media companies.

inpage zero-day group

Vulnerabilities in such kind of software could be useful to launch targeted attacks against specific groups of people. Something similar occurred last year when researchers from FireEye pointed out the North Korea for a number of attacks against the South Korea relying a 0day in the South most popular Word processor, the Hangul Word Processor (HWP).

The investigation started in September 2016, when the experts analyzing a new wave of attacks spotted an interesting target which appeared to constantly receive spear phishing messages.

The malware researchers who investigated the attacks discovered that threat actors used a specific exploit file that had an InPage (.inp) extension. The file embedded a shellcode that was triggered on several InPage versions, the malicious code is able to decrypt itself and an EXE file contained in the decoy document.

This is the first time that exploits for InPage have previously been mentioned in public.

“Since no exploits for InPage have previously been mentioned in public, we took a closer look to see if the document was malicious or not. Further analysis indicated the file contained shellcode, which appeared to decrypt itself and further decrypt an EXE file embedded in the document.” explained Kaspersky researcher Denis Legezo.

“InPage uses its own proprietary file format that is based on the Microsoft Compound File Format. The parser in the software’s main module ‘inpage.exe’ contains a vulnerability when parsing certain fields. By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution,” 

The attacks targeted various government and financial institutions in Asia and Africa, the experts noticed that hackers leveraged the InPage zero-day to deliver various backdoors and keyloggers.

“So far, victims of these attacks have been observed in Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.” continues Legezo.