Targeted Attack Exploits Ichitaro Vulnerability

JustSystems, developer of the Japanese word processor software called Ichitaro, recently announced a vulnerability—Multiple Ichitaro Products CVE-2013-3644 Remote Code Execution Vulnerability (CVE-2013-3644)—that has been exploited by attackers in the wild. Symantec has seen the exploitation being used in targeted attacks since May, but it has been limited to users in Japan and the volume of attacks has been minimal.

The attacker can leverage this vulnerability by sending a specially crafted attachment as part of a spear phishing campaign. When a user opens the malicious Ichitaro document file, arbitrary code is executed causing malware to be dropped onto the computer. Symantec detects the malicious document files as Trojan.Tarodrop.M. Files dropped by the exploit depend on the specific attack but are generally detected as Trojans, such as Backdoor.Specfix.

We continue to monitor this threat to improve coverage and will provide any relevant updates when possible. Symantec strongly advises users to update their antivirus definitions regularly and ensure the latest Ichitaro patch is installed.