The popular Japanese word processor software Ichitaro is no stranger to threats, particularly exploits taking advantage of the software’s vulnerabilities. Since 2007, we have reported the malware targeting Ichitaro’s security flaws.
This time, however, we uncovered an attack that employs an old trick that even Microsoft Office was previously vulnerable to (CVE-2011-1980). Typically, when an application or document is executed, it loads several .DLL files. It first checks the current directory where it was opened and if the .DLL is present, it then loads that file; but if not, it checks other folders such as System folder.
An attacker can take advantage of this to get an application to load a malicious DLL file instead of a legitimate one; this particular attack is known as DLL preloading. The samples we found only refers to the filename of the DLL file, so it will first search the current directory before checking the other folders in the system. While this vulnerability could be used to access a malicious DLL that is in a remote folder, that was not the case here.
The attack arrives as a malicious compressed file, attached to an email message. Inside the compressed file are two Ichitaro documents and JSMISC32.DLL. Using the vulnerability cited above, the Ichitaro software loads the modified .DLL (detected as PTCH_ETUMBOT.AV) once users open the document. We have been detecting this DLL file and its subsequent payload since January of this year.
This malicious DLL file appears to be a normal file upon cursory examination:
Figure 1. Screenshot of modified JSMISC32.DLL file
But upon further analysis, this file actually contains a code that loads a specific .JTD file (detected as BKDR_ANONY.AC). Because of this patch code, this .JTD file is loaded each time Ichitaro is opened. But what is the real nature of this file?
Figure 2. Code of the modified .DLL file
Figure 3. Malicious .JTD file using Ichitaro icon
At first sight, this .JTD looks harmless and uses a regular Ichitaro file icon. But a closer look reveals that this .DLL file, once loaded in the system, connects to specific URLs to report successful infection to a remote user. It also waits for possible instructions from the said malicious user. The malware also downloads encrypted files from the said sites. Trend Micro Smart Protection Network™ protects users from this threat by blocking the related email message and detecting the malware cited in this post.
The attack may sound simple, but its simplicity is its main strength. To avoid this attack, we advise users to be cautious when opening their email messages and avoiding downloading or executing files attached to these messages.