Woburn, MA – November 23, 2016 – The Kaspersky Lab Global Research and Analysis Team has discovered attacks which appear to be using a zero-day exploit (a malicious program allowing additional malware to be silently installed) for the InPage text editor. InPage is a software package used by Urdu- and Arabic-speaking people and organizations around the world. The exploit was used in attacks against banks in several Asian and African countries.
InPage is widely used by media and print shops, as well as governmental and financial institutions, such as banks, that work with texts written in Perso-Arabic scripts. According to the InPage website, in addition to India and Pakistan where the software is widely used, there are thousands of users in other countries such as the United Kingdom, the United States, Canada, a number of countries in the European Union, South Africa, Bangladesh, Japan and other territories. The total number of InPage users is almost 2 million worldwide.
Attacked organizations identified by Kaspersky Lab researchers are located in Myanmar, Sri-Lanka and Uganda.
An example of a spear -hishing email containing a malicious InPage document.
The exploit is delivered to the victim via a spear-phishing email with the infected document attached. Upon successful exploitation of the vulnerability, the malware reports to a command and control server and then downloads legitimate remote access tools. In some cases it downloads malware based on the source code of the infamous banking trojan ZeuS. This set of tools is typical for financial cybercriminals.
The exact set of malicious instruments downloaded to the infected machine varies from victim to victim, as do the command and control servers from which the malicious tools are downloaded. This – along with a number of other artefacts – makes Kaspersky Lab researchers think that the zero-day is utilized by several threat groups.
Localized zero-days
It is not the first time that we see specific “local” software used to infect victims in a cyberattack. In 2013 Kaspersky Lab researchers observed similar tactics in the attacks attributed to the Icefog campaign. That time the attacker used malicious HWP documents which are made to work with Hangul Word Processor, a proprietary word processing application used extensively in South Korea.
“The use of vulnerabilities in specific software with a relatively low global presence and a very narrow target audience is an easy-to-understand tactic,” said Denis Legezo, security expert at Kaspersky Lab GReAT. “The attackers adjust their tactics to their target’s behavior by developing exploits for custom software which doesn’t always receive the kind of scrutiny that big software companies apply to their products. Since local software is not a common target of exploit writers, vendors are not very responsive to vulnerability reports and existing exploits remain workable for a long time,” he added.
Thanks to a wide range of technologies, users of Kaspersky Lab solutions have already been protected against this attack for quite some time and the protection has worked well in blocking a number of malicious InPage documents. Kaspersky Lab products successfully detect the InPage exploit with the following detection name: HEUR:Exploit.Win32.Generic.
Kaspersky Lab researchers are not yet aware of any actual incidents involving the theft of money as a result of infections using the InPage exploit. However this doesn’t mean that such attacks aren’t happening. Therefore security specialists advise financial organizations to check their systems for the presence of these threats and to implement the following measures:
- Make sure to have a corporate-grade internet security suite capable of catching exploits generically, such as Kaspersky Endpoint Security for Business.
- Instruct staff not to open attachments or URLs in emails sent from unknown sources.
- Use the most recent versions of software on endpoints in the company. Avoid using software known to be vulnerable. To automate these task use Vulnerability Assessment and Patch Management solutions.
- Subscribe to a professional threat intelligence service like the Kaspersky Lab APT reporting service to get instant access to actionable information on the most recent cyberattacks which may target an organization.
- Educate staff on cybersecurity. The malware sample that enabled the discovery of the exploit was found with the help of specifically created Yara rules. Invest in the education of security staff so that they are able to do the same on their own and therefore protect the organization from sophisticated targeted attacks.
To learn more about targeted attacks using the InPage zero-day vulnerability read the blog post on Securelist.com