Attackers are compromising government and banks across Asia by exploiting a years-old zero day vulnerability in desktop publishing application InPage, which targets users working in Urdu or Arabic.
Kaspersky Labs analyst Denis Legezo found the attacks
and reported the zero-day to InPage, which he says ignored his
Legezo says InPage has some 19 million users, 10
million in Pakistan, six million in India, two million in the UK, and
one million in the US.
If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well.
"We don’t observe any public mentions of [the InPage] exploit so we consider it a zero day.
Lengezo found live attacks, likely from multiple
groups, utilising the zero day vulnerabilities against unnamed banks and
governments in Myanmar, Sri-Lanka and Uganda.
Criminals are attaching multiple InPage files and also exploiting old bugs through attached .rtfs and xxx.doc files.
The analyst found several keyloggers and backdoors within the phishing emails used to attack InPage users.
He says the parser within the proprietary InPage file
format contained a vulnerability that allowed attackers to gain control
of instruction flow and then remote code execution.
"By all appearances, this newly discovered exploit has been in the wild for several years," Lengezo says.
Hackers have previously targeted regionally-specific
software. Several exploits have been found in the Hangul Word Processor
almost exclusively used in South Korea in what Lengezo says are attacks
against Korean interests.