Ichitaro exploit used to deliver backdoors to Japanese organisations

Researchers at Symantec have uncovered the exploits of a cyber-espionage group targeting organisations in Japan.

According to a  blog post by the firm last week, malicious emails were used to spread backdoors Emdivi, Korplug and ZXshell to victims. Instead of simply including a link to compromised websites in phishing mail, attackers used booby-trapped Ichitaro document files to spread malware.

That attack leverages a remote code execution vulnerability, CVE-2014-7247, in the widely-used Ichitaro word processor, so that users running vulnerable versions of the software are exploited. The backdoors are all designed to “steal confidential information from the compromised computer,” Symantec said.  

The cyber-espionage campaign,“Operation CloudyOmega,” has been active since 2011 and its perpetrators have “communication channels with other notorious attacks groups,” like Hidden Lynx, the firm noted.  A patch for the zero-day vulnerability is now available.

First published by SC in the US.