In late September 2011, it was reported that a previously unknown and un-patched vulnerability in Hancom Office (a word processing software predominantly used in Korea) was exploited in the wild. We often hear of new exploits targeting software used worldwide and while these incidents tend to grab all the attention, we also encounter instances of regional software, which often have a limited user base becoming an exploit target. One example of a similar regional software that was also exploited in malware attacks is Ichitaro - a word processing software mostly used in government organizations and their associates in Japan.
In this case, we managed to track down a couple of malware samples that exploited the reported vulnerability in the Hancom products. The samples are in document files (file extension .hwp) and an exploit attempt is made when the document is opened on a machine installed with vulnerable versions of Hancom Office. A successful exploit attempt will result in malware being dropped on the machine and the opening of a back door to a predetermined site.
Using regional software does not remove the risk of malware attack and this recent attack on Hancom products and past attacks using Ichitaro are proof of this. As malicious attackers continue to look for new security holes to use in malware attacks, regional software can have an important role to play in the malware creator’s arsenal and we expect this to be a niche but growing area for future attacks.
Detection and mitigation
The malicious document files are detected as Bloodhound.Olexe. Backdoor.Trojan detection covers the dropped files.
The vulnerability was patched in mid October by Hancom who published an advisory to inform customers about the issue. In addition, the local Internet and security agency also posted an advisory.
To reduce risk from these types of attacks, software should be kept updated and users need to take a cautious disposition when opening unknown email attachments or files.
Symantec will be presenting on targeted attacks that use vulnerabilities in regional software in Hong Kong this week at the AVAR