The security industry, as well as IT administrators across the globe, has been busy recently dealing with multiple zero-day vulnerabilities emerging in quick succession. Before anyone has time to draw a breath after the barrage, yet another zero-day has appeared, ready to cause people problems. Well, for people in Japan at least, since the vulnerability is in the Japanese word-processing software Ichitaro.
Ichitaro developer JustSystems recently announced that the Multiple Ichitaro Products Unspecified Remote Code Execution Vulnerability (CVE-2013-5990), allowing the execution of arbitrary code, exists in Ichitaro products. In September 2013, Symantec discovered attacks in the wild attempting to exploit this vulnerability; however, the exploits did not properly work to compromise the system in our testing environment. As always, we exercised the responsible vulnerability disclosure process following this discovery.
Our analysis revealed that the samples, detected as Trojan.Mdropper, for these attacks all contained the same back door Trojan, which Symantec detected as Backdoor.Vidgrab. If the exploit is successful, in theory the shell code would be executed to drop and launch the simplified Chinese version of notepad.exe while compromising the system, with the back door connecting to a remote site. Coincidently, the identical Backdoor.Vidgrab variant was used as a payload for a watering hole attack exploiting the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893), which was patched in October 2013. It is reasonable to assume that the same malware group, or another group with close connections, is behind the attacks that utilized the Internet Explorer and Ichitaro vulnerabilities. Backdoor.Vidgrab is known to be used to target the Asia-Pacific region with government sectors being the primary targets according to TrendMicro. Symantec telemetries do not dispute this claim.
Although Trojan.Mdropper is sent to targets as email attachments with the Ichitaro file extension .jtd, the files are actually .rtf or rich text format files. The files cannot be opened using Microsoft Word as they are designed to work only with Ichitaro. An interesting point of this attack campaign is that the malware group used unusual subject lines and email content that are not commonly used in targeted attacks. One of the emails used in this targeted attack campaign can be seen in the following figure.
Figure. Email used in targeted attack
The email solicits a recipient to buy various goods from a popular Japanese online shopping site. The email also states that all members will earn double the usual points for their purchases and will also receive free shipping. The email attachment is a flyer containing the Ichitaro exploit.
In June 2013, Symantec came across a similar Trojan.Mdropper variant with the .jtd file extension, sent to an organization that received the malware mentioned above. The main difference is the file format. While rich text format was used in the recent attacks, a Microsoft Word document file with an embedded Microsoft graph chart was used for the previous attack campaign. The specially-crafted Word document was created with Microsoft Office in the Simplified Chinese language. According to our research, this exploit code also failed to successfully exploit a vulnerability. If successful, the shellcode would have downloaded malware from the following URL :
http://googles.al[REMOVED]my.com/index.html
The server hosting this domain has been associated with the group referred to as APT 12 by Mandiant. The malware itself is detected as Trojan.Krast.
The attackers, possibly belonging to the APT12 group who may have also developed BackdoorVidgrab, are persistently targeting similar, if not the identical, targets by attempting to exploit Ichitaro. The attackers may also be using the targets as guinea pigs to test if the exploit code works properly. The attack may also be a precursor, the attackers could have run the tests in order to find effective email contents and subject lines, for example, that are enticing enough lure targets into opening the malicious attachment.
The .jtd files described in this blog are detected as Trojan.Mdropper. Also Symantec’s .Cloud products effectively block emails with the malicious Ichitaro attachment.
To prevent a possible compromise, Ichitaro users are advised to download and apply the latest patch from JustSystems.