Ichitaro Vulnerability: Another Zero-Day Exploit in the Wild

Contributor: Masaki Suenaga

We have already seen a handful of zero-day vulnerabilities being exploited in the wild this year. These vulnerabilities have affected users globally leaving both individuals and organizations scrambling to protect their computers. While this does become tiring, this is not the time to rest or become complacent, especially for those using the Japanese word processor software, Ichitaro.

JustSystems has just announced a vulnerability that is currently being exploited in the wild. Symantec has seen the exploitation in the wild since mid-January, but it has been limited to users in Japan. The attacks using the exploit typically involve archive files containing the following files:

  • A clean Ichitaro document (.jtd file)
  • A modified JSMISC32.DLL file with a hidden attribute
  • A malicious DLL file with a hidden attribute and a .jtd file extension

Figure. The files found in the archive file

When an Ichitaro document is opened on a vulnerable computer, Ichitaro searches for the file JSMISC32.DLL, which is usually found in the installation path or system directory. In this targeted attack, when the clean Ichitaro document is opened, it executes JSMISC32.DLL, located in the same directory, which then launches the malicious DLL file with the .jtd file extension. JSMISC32.DLL is modified so that it loads the malicious .jtd file, which is actually a DLL file.

Symantec proactively detects the archive file that contains the files used in this attack as Bloodhound.Exploit.489. The malicious DLL is detected as either Trojan Horse or Backdoor.Trojan. To protect against this exploit, download the patch from JustSystems and make sure your security software is up to date.