{
	"id": "db41463c-4a59-4f46-98cb-0d24236633f3",
	"created_at": "2026-04-06T00:19:55.198117Z",
	"updated_at": "2026-04-10T03:21:52.563988Z",
	"deleted_at": null,
	"sha1_hash": "0f85b69a412d6ee349d405fa6b4f0dfeef3d980b",
	"title": "InPage zero-day exploit used to attack financial institutions in Asia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 442418,
	"plain_text": "InPage zero-day exploit used to attack financial institutions in Asia\r\nBy Denis Legezo\r\nPublished: 2016-11-23 · Archived: 2026-04-05 18:33:25 UTC\r\nIn September 2016, while researching a new wave of attacks, we found an interesting target which appeared to\r\nconstantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks\r\nreceived by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of\r\nthem attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had\r\nan extension that we were unfamiliar with – “.inp”. Further investigation revealed this was an InPage document.\r\nInPage, in case you are wondering, is publishing and text processing software, mostly popular with Urdu and\r\nArabic speaking users.\r\nInPage user groups from vendor official site\r\nSince no exploits for InPage have previously been mentioned in public, we took a closer look to see if the\r\ndocument was malicious or not. Further analysis indicated the file contained shellcode, which appeared to decrypt\r\nitself and further decrypt an EXE file embedded in the document. The shellcode appeared to trigger on several\r\nversions of InPage. We don’t observe any public mentions of such exploit so we consider it a zero-day. We report\r\nit to the vendor and CERT-IN. Assigned vulnerability number is CVE-2017-12824.\r\nDiscovery and analysis\r\nInPage is an interesting vulnerable software selection as it’s widely used within the Indian Muslim population, as\r\nwell as in Pakistan. This, of course, includes local mass-media and print shops, governmental and financial\r\ninstitutions (banks). If someone wants to deploy attack modules into regional press-related companies, an InPage\r\nexploit would work well.\r\nhttps://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/\r\nPage 1 of 5\n\nDue to its wide range of technologies, it wasn’t perhaps surprising to see that Kaspersky Lab products already\r\ndetect the exploit with the generic rule HEUR:Exploit.Win32.Generic. This detection is triggered by the presence\r\nof the shellcode inside a Microsoft Compound Storage file (OLE), which works extremely well for a wide\r\ncategory of Office-based exploits, going back to 2009.\r\nThe good news is that Kaspersky Lab users have been protected against this attack for quite some time – and the\r\nprotection worked well in the past when it blocked a number of malicious InPage documents.\r\nBetween the various phishing campaigns relying on this exploit, one particular attack attracted our attention. The\r\ntargets of this attack were special, since they were banks in Asia and Africa. The payload and C\u0026C servers are\r\nalso different from the recent attacks we’ve observed, meaning there are probably several actors utilizing this\r\nzero-day exploit at the moment.\r\nTechnical details\r\nSpearphishing e-mail with several malicious attachments. The .inp contains the zero-day exploit\r\nIn their attacks, the threat actors often use more than one malicious document. During spearphishing, the actors\r\nattached InPage files as well as .rtfs and .docs with old popular exploits.\r\nLooking through all the related documents we could find, we counted several different versions of keyloggers and\r\nbackdoors written mostly in Visual C++, Delphi and Visual Basic.\r\nOne such keylogger we analysed (MD5 hash: 18a5194a4254cefe8644d191cb96da21) was written in Visual C++.\r\nAfter gaining control, the module decodes several internal strings. One of them is the C2 domain name\r\nvisitorzilla[.]com. This backdoor maintains persistence by creating “C:\\Documents and Settings\\\u003cUSER\u003e\\Start\r\nMenu\\Programs\\Startup\\DataABackup.lnk“. Similar to the other campaign modules, it uses\r\nSetWindowsHook() with WH_KEYBOARD_LL hook to gather keystrokes. To gather keystroke data, the module\r\nuses two files on disk: C:\\Documents and Settings\\\u003cUSER\u003e\\Application Data\\DataBackup\\sed.ic and me.ic\r\n(located in the same directory).\r\nInside weaponized documents\r\nhttps://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/\r\nPage 2 of 5\n\nInPage uses its own proprietary file format that is based on the Microsoft Compound File Format. The parser in\r\nthe software’s main module “inpage.exe” contains a vulnerability when parsing certain fields. By carefully setting\r\nsuch a field in the document, an attacker can control the instruction flow and achieve code execution.\r\nThe shellcode has three main parts:\r\n1. 1 Pattern searcher (so-called “egg hunter”) before the decoder,\r\n2. 2 Decoder.\r\n3. 3 Downloader.\r\nThe pattern searcher looks through all of the virtual memory space attempting to find the pattern “68726872”.\r\nOnce the searcher identifies this pattern it starts the next stage of exploit – the decoder.\r\nShellcode decryptor\r\nThe small decoder obtains the instruction pointer and uses FLDPI + FSTENV instructions (an old and uncommon\r\ntechnique). The decoder is using an arithmetic NOT followed by a XOR 0xAC operation to decrypt the next stage.\r\nNext, the downloader fetches a remote payload using InternetReadFile() and runs it using the WinExec() function\r\nin the %userprofile% directory. This functionality is very common and we’ve seen it with many other exploits. It’s\r\nthe choice of vulnerable software that is interesting in this case and, for sure, the appearance of an exploit for\r\nsoftware that is popular mostly in India and Pakistan.\r\nThe final payload is a Trojan written in Visual Basic 6. It defines a hook using the SetWindowsHook() function\r\nwith the WH_MSGFILTER parameter. It communicates with its C2 server at 195.189.227.26 on port 8080.\r\nDuring the initial session the C2 server sends “Pass” and host replies with\r\n“Auth\u003cusername\u003e@\u003chostname\u003e\\#/\u003cOS version\u003e\\#/\u003cIP address\u003e\\#/-” In addition to b4invite[.]com this same\r\nTrojan was also spread using a configuration with the C2 server relaybg[.]com.\r\nVictims\r\nSo far, victims of these attacks have been observed in Myanmar, Sri-Lanka and Uganda. The sector for the victims\r\ninclude both financial and governmental institutions.\r\nConclusions\r\nhttps://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/\r\nPage 3 of 5\n\nBy all appearances, this newly discovered exploit has been in the wild for several years. In some way, it reminds\r\nus of other similar exploits for Hangul Word Processor, another language/region-specific text processing suite\r\nused almost exclusively in South Korea. HWP has been plagued by several exploits in the past, which have been\r\nused by various threat groups to attack Korean interests.\r\nDespite our attempts, we haven’t been able to get in touch with the InPage developers. By comparison, the Hangul\r\ndevelopers have been consistently patching vulnerabilities and publishing new variants that fix these problems.\r\nThe best defense against exploits is always a multi-layered approach to security. Make sure you have an internet\r\nsecurity suite capable of catching exploits generically, such as Kaspersky Internet Security. Installing the\r\nMicrosoft EMET tool can also help, as well as running the most recent version of Windows (10). Finally, default\r\ndeny policies, also known as allowlisting can mitigate many such attacks.\r\nThe Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions\r\ncould have been mitigated by following the top four mitigation strategies together. These are: application\r\nallowlisting, updating applications, updating operating systems and restricting administrative privileges.\r\nKaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies)\r\nas well as most of the others from Top35 ASD’s list.\r\nKaspersky Lab detects this exploit as HEUR:Exploit.Win32.Generic.\r\nMore information about this exploit, associated campaigns and attacks is available to customers of Kaspersky\r\nIntelligence Services. Contact: intelreports@kaspersky.com\r\nIndicators of compromise:\r\nHashes\r\nf00e20ec50545106dc012b5f077954ae – rtf\r\n729194d71ed65dd1fe9462c212c32159 – inp\r\nc9e7ec899142477146d4f7f83df3f63f\r\n750ed4f79496dee1d624a7b508f83f4e\r\nB43aa5ea4ff5292fd92d416bb2b41c3a\r\n4d508e44c5f3028a36a5206383cf235c\r\n53c3503d3193bf14a93dc3ac24829490\r\n5a9a8502b87ce1a6a608debd10761957\r\nC\u0026Cs used in the samples dropped by the weaponized InPage documents:\r\nRelaybg[.]com\r\nB4invite[.]com\r\nLeastinfo[.]com\r\ntropicmig[.]com\r\nDigivx[.]com\r\nGigatrons[.]com\r\nkinohata[.]ru\r\nhttps://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/\r\nPage 4 of 5\n\nVisitorzilla[.]com\r\nAmbicluster[.]com\r\nAliasway[.]com \u003c- SINKHOLED by Kaspersky Lab\r\nXynoder[.]com\r\nBy4mode[.]com\r\nStringbit[.]com\r\nEncrypzi.com\r\nGigsense[.]com\r\nI3mode[.]com\r\nSource: https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/\r\nhttps://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/"
	],
	"report_names": [
		"76717"
	],
	"threat_actors": [],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0f85b69a412d6ee349d405fa6b4f0dfeef3d980b.pdf",
		"text": "https://archive.orkl.eu/0f85b69a412d6ee349d405fa6b4f0dfeef3d980b.txt",
		"img": "https://archive.orkl.eu/0f85b69a412d6ee349d405fa6b4f0dfeef3d980b.jpg"
	}
}