Attackers use ancient zero-day to pop Asian banks, govts
Flawed desktop publishing tool for readers of Urdu and Arabic phlayed with phishing
Attackers are compromising government and banks across Asia by exploiting a years-old zero day vulnerability in desktop publishing application InPage, which targets users working in Urdu or Arabic.
Kaspersky Labs analyst Denis Legezo found the attacks and reported the zero-day to InPage, which he says ignored his disclosures.
Legezo says InPage has some 19 million users, 10 million in Pakistan, six million in India, two million in the UK, and one million in the US.
If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well.
"We don’t observe any public mentions of [the InPage] exploit so we consider it a zero day.
Lengezo found live attacks, likely from multiple groups, utilising the zero day vulnerabilities against unnamed banks and governments in Myanmar, Sri-Lanka and Uganda.
Criminals are attaching multiple InPage files and also exploiting old bugs through attached .rtfs and xxx.doc files.
The analyst found several keyloggers and backdoors within the phishing emails used to attack InPage users.
He says the parser within the proprietary InPage file format contained a vulnerability that allowed attackers to gain control of instruction flow and then remote code execution.
"By all appearances, this newly discovered exploit has been in the wild for several years," Lengezo says.
Hackers have previously targeted regionally-specific software. Several exploits have been found in the Hangul Word Processor almost exclusively used in South Korea in what Lengezo says are attacks against Korean interests. ®