Japanese word processor 'Ichitaro' zero-day attack discovered in the wild

The vulnerability is caused due to an unspecified error when handling certain document files. "We confirm the existence of vulnerabilities in some of our products." company blog says.

In a blog post, Antivirus Firm Symantec confirmed that in September 2013, they have discovered attacks in the wild attempting to exploit this vulnerability during, detected as Trojan.Mdropper, which is a variant of Backdoor.Vidgrab.

Researchers mentioned that Backdoor.Vidgrab variant was used as a payload for a watering hole attack exploiting the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893), which was patched in October 2013.

According to them, it is reasonable to assume that the same malware group, or another group with close connections, is behind the attacks that utilized the Internet Explorer and Ichitaro vulnerabilities.

"Backdoor.Vidgrab is known to be used to target the Asia-Pacific region with government sectors being the primary targets."

Attackers are distributing malware with spear phishing attack, as email attachments with the Ichitaro file extension .jtd, the files are actually .rtf or rich text format files. The files cannot be opened using Microsoft Word as they are designed to work only with Ichitaro.

"The attackers, possibly belonging to the APT12 group who may have also developed BackdoorVidgrab, are persistently targeting similar, if not the identical, targets by attempting to exploit Ichitaro." Symantec says.

A patch is available from the Ichitaro Web site to fix the vulnerability on the relevant products.