In a previous blog, Symantec reported a new Ichitaro zero-day vulnerability known as the Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2013-5990). This flaw was being actively exploited in the wild, but the exploit was not properly working to compromise computers. A week after that, we confirmed a working exploit in multiple incidents which is actually capable of infecting targeted computers with a back door used typically in targeted attacks. The format of the file used to exploit the vulnerability, as was the case in previous attacks, is a rich text format which targets the word processing software Ichitaro, developed by Justsystems.
In the earlier cases where the exploit was unsuccessful, variants of Backdoor.Vidgrab were planted along with the shell codes in the malicious documents. The shell code was never able to drop the back door in our testing environment for these samples. The latest malicious document files come with a shell code to drop various types of malware detected as Backdoor.Korplug, Backdoor.Misdat and Trojan Horse, all of which are back door Trojans typically observed in targeted attacks. Backdoor.Korplug has been commonly used in targeted attacks ever since it surfaced in 2012. Backdoor.Misdat was mainly observed back in 2011 when it was used to target organizations in locations such as the United States and Japan, but it has not be observed in recent attacks.
The tactic has shifted from consistently using Backdoor.Vidgrab as the payload during the failed exploit attempts to now using a variety of back doors for the successful exploits. We have also observed that the targeted audience has been expanded to include a larger pool of organizations. This may signify that the attackers are now performing real, meaningful attacks on their prey by exploiting the Ichitaro vulnerability as opposed to running a testing operation to confirm if the exploitation has succeeded or failed. It could perhaps be an indication that the attackers have potentially started sharing a tool kit that puts together attacks exploiting Ichitaro with others attackers. Whatever the case may be, we are observing an increase in attacks exploiting this vulnerability and Ichitaro users should be should be wary of these attacks.
The discovery of multiple attacks that successfully exploit the vulnerability shouldn’t be a huge concern to Ichitaro users though. A patch for the flaw has already been released and is available to download. If customers have not applied the fix yet, we urge them to take the time now to do so. Symantec detects the malicious rich text files described in this blog as Trojan.Mdropper.