In September 2016, we detected a number of attacks aimed at targets located in Africa and Asia. Among the victims were government agencies and several banks. All of them were attacked using a zero-day exploit for InPage – a software suit to work with texts in Farsi, Urdu, Pushtu and Arabic – sent in via e-mails.
The malicious e-mails sent to targets in Myanmar, Sri-Lanka and Uganda bore several infected documents in various formats – Word (.doc, .docx) and InPage (.inp). Word exploits are well-known and won’t run in the recently updated software environment, while InPage exploit works fine even in the latest version of the software.
The first #zero-day #exploit for InPage text processor had been used in attacks on Asian banks. #infosec #0dayTweet
Interestingly, it’s the first exploit for InPage ever detected. Kaspersky Lab’s software detect the built-in shellcode and identify this malware as HEUR:Exploit.Win32.Generic.
That’s not the first time when vulnerabilities in the locally popular software is being exploited. Another outstanding example was an exploit for Hangul Word Processor (a South-Korean text processor), deployed during the Icefog campaign.
Using a narrowly specialized software only used in certain industries allows to focus the attack even narrower; the perpetrators thus have more control over the malicious campaign. In the case of InPage, these are organizations include banks and governments.
Unlike zero days in software like Flash or Windows that are patched quickly, exploits for uncommon software suites like InPage can take much longer to patch. The limited use of the software can also mean that discovery of zero days will be long overdue.
Even though the exploited vulnerability still exists, users of Kaspersky Lab’s products are protected thanks to heuristic analysis technology. Still, an approach like this is very unsafe when facing other campaigns, as these exploits stay undetected for years. In order to ensure your safety follow a few of general rules:
- Update all software used in a timely manner, operating systems included.
- Limit users’ privileges in the OS.
- Deploy White Lists and Default Deny approach on critical endpoints.
- Use the security software with heuristic analysis and cloud-based file assessment functions available.
- Subscribe to professional cybersecurity information services, such as Kaspersky Lab’s APT Intelligence Reporting.
- Keep your IT security department functional: the modern cybersecurity methods allow to detect even previously unknown threats.
- Train your employees in cybersecurity basics: in order to get protected from the intrusion it is often enough that an employee abstains from opening an e-mailed file.
In order to subscribe to Kaspersky APT Intelligence Reporting please fill the form below: