An exploit in the InPage word processor program was used as an attack vector by three malware families.
Palo Alto's Unit 42 researchers spotted three documents containing variants of the CONFUCIUS_B malware family, a backdoor commonly detected as “BioData”, and a previously unknown backdoor named MY24, according to a 2 November blog post.
“The three InPage exploit files are linked through their use of very similar shellcode, which suggests that either the same actor is behind these attacks, or the attackers have access to a shared builder,” researchers said in the report.
Decoy documents used in the exploits suggest the threat actors are politically or militarily motivated since they contained subjects such as intelligence reports and political situations related to India, the Kashmir region, or terrorism in an attempt to lure the victims into clicking them.
Researchers said they rarely see InPage used as an attack vector and that the only example seen before was documented by Kaspersky Labs in 2016 when a separate zero-day was used to attack financial institutions in Asia.
The numerous exploits used in recent attacks lead researchers to believe the attackers have a reasonable development resource behind them.
InPage Urdu is the industry standard tools for page-making of newspapers, magazines and books in Urdu/Arabic languages, with the bulk of their users living in India and Pakistan, Chris Morales, head of security analytics at Vectra told us.
“We see this trend all the time in targeted attacks,” Morales said. “Attackers understand their targets working environment, identify key software to compromise to initially infect the target, and then once they establish a foothold, the attacker begins to snoop around for data to steal.”
The software is compromised with shellcode that would normally be detected after the infection as a remote access trojan and command and control and in this case there are three different pieces of malware used to target the victims that all exhibit similar behaviors, Morales added.
The exploits prove threat actors aren't just using the most recent attack methods but are being resourceful and using everything at their disposal.