Second InPage exploits leveraged by multiple malware families.
Second InPage exploits leveraged by multiple malware families.

An exploit in the InPage word processor program was used as an attack vector by three malware families. The word processor supports languages such as Urdu, Persian, Pashto, and Arabic.

Palo Alto's Unit 42 researchers spotted three documents containing variants of the CONFUCIUS_B malware family, a backdoor commonly detected as “BioData”, and a previously unknown backdoor named MY24, according to a Nov. 2 blog post. The threes

“The three InPage exploit files are linked through their use of very similar shellcode, which suggests that either the same actor is behind these attacks, or the attackers have access to a shared builder,” researchers said in the report.

Decoy documents used in the exploits suggest the threat actors are politically or militarily motivated since they contained subjects such as intelligence reports and political situations related to India, the Kashmir region, or terrorism in an attempt to lure the victims into clicking them.

Researchers said they rarely see InPage used as an attack vector and that the only example seen before was documented by Kaspersky Labs in 2016 when a separate zero-day was used to attack financial institutions in Asia.

The numerous exploits used in recent attacks lead researchers to believe have a reasonable development resource behind them.  

InPage Urdu is the industry standard tools for page-making of newspapers, magazines and books in Urdu/Arabic languages, with the bulk of their users living in India and Pakistan, Chris Morales, Head of Security Analytics at Vectra told SC Media.

“We see this trend all the time in targeted attacks,” Morales said. “Attackers understand their targets working environment, identify key software to compromise to initially infect the target, and then once they establish a foothold, the attacker begins to snoop around for data to steal.”

The software is compromised with shellcode that would normally be detected after the infection as a remote access trojan and command and control and in this case there are three different pieces of malware used to target the victims that all exhibit similar behaviors, Morales added.

The exploits prove threat actors aren't just using the most recent attack methods but are being resourceful and using everything at their disposal.

“Using malicious document files is a very old attack vector that has worked a variety of word processing, spreadsheet and presentation programs for many years now,” Nathan Wenzler, chief security strategist at AsTech said. “In this way, InPage is just another application in a long line of word processing tools that has been targeted in this manner.”

Wenzler said its interesting how tailored the documents are to the type of industries beign targeted suggesting it was a phishing attack. He went on to say employees should remember that no matter how enticing or interesting the name of the document may be, it's important to not give in to that curiosity and open unknown documents and enterprises should patch as soon as patches are released.