Preventing Targeted Attacks That Use JTD or HWP Documents

Infected Document

An increasingly popular and effective method of compromising computer security, especially as part of a targeted attack, involves sharing common document types or image files with victims. Even though the original versions of these files do not contain executable data, attackers have found ways to trigger these files to execute embedded malicious code. Popular techniques used to accomplish this include VBA macros, exploit payloads, and embedded Flash or JavaScript code.

This type of attack has a high success rate because most users don't expect common file types to contain infections.

Microsoft Office documents and PDF are both well-known document formats for document-borne malware. However, they're not the only types of files used by attackers. Particularly outside the U.S., JTD and HWP documents can be used in targeted attacks.

JTD and HWP Files in Japan and South Korea

HWP (Hangul Word Processor from HANCOM Office suite) and JTD (Ichitaro Word Processing from JustSystems) are widely used file formats in South Korea and Japan respectively. These documents can be exploited just like Microsoft Office documents because they have similar capabilities. Both file formats can contain the exploitable objects described above.

It is common knowledge that the South Korean government uses the Hancom Office suite, Hanword to be specific, and therefore regularly uses HWP files to distribute information. However, this may leave government agencies exposed to advanced attacks.

Since not a lot of anti-malware solutions have focused on detecting malicious HWP files, they provide an easier target for advanced attacks. Because these kinds of files are not used very much outside of their localized markets, fewer anti-malware vendors see a need to support them.

These kinds of attacks are actually happening more and more frequently in South Korea and Japan, since both are big markets and use dedicated, localized software which has a low presence in outside markets.

Here are some examples of recent attacks:

OPSWAT MetaDefender Now Supports JTD and HWP Data Sanitization (CDR)

OPSWAT is committed to preventing any potential threats regardless of market size. That's why OPSWAT has released MetaDefender support (beta version) for sanitizing JTD/HWP files via MetaDefender Core. Very few security vendors can protect from threats hidden in these file formats.

Here is a demonstration of HWP-borne malware before and after data sanitization (CDR).

HWP malware that was used for the 2017 targeted malware campaign against South Korean users:

Visible content is not lost after sanitization. This is important because we do not sanitize only malicious content that we detect via MetaDefender's multi-scanning technology, but also benign content with no detected malware.

HWP Files Data Sanitization

HWP files sanitized

A similar example for JTD documents:

Before Data SanitizationAfter Data Sanitization
JTD File Before SanitizationJTD File After Sanitization

Click images for scan results

How OPSWAT MetaDefender Data Sanitization (CDR) Can Prevent Such Attacks

Data sanitization, also known as Content Disarm and Reconstruction (CDR), prevents any malicious content (including zero-day threats) from executing by removing all exploitable content from a file. High-risk files can be sanitized through several different methods:

Behind the Scenes: Always Bet on MetaDefender

I made a bet with OPSWAT's CEO and founder, Benny Czarny, that MetaDefender could support JTD/HWP data sanitization. As you have surely guessed by now, I won the bet — and a bottle of Scotch whisky (Glenlivet 18-year, to be precise) that I will enjoy for a while!

Taeil Wins the Bet

I collect my winnings from Benny

Upcoming Improvements to MetaDefender's Data Sanitization

OPSWAT still has a lot of work remaining, and here is what we are planning for our data sanitization (CDR) functionality:

  1. Supporting other types of office document files from Hancom Office suite and JustSystems. This requires testing with a lot bigger sample sets than we currently have. If you have any samples you would like to share, please contact OPSWAT support.
  2. Currently, some visible content will be lost during the CDR process for HWP and JTD files. We will continue researching to preserve as much visible content as possible without bypassing exploitable content. For now, users may experience the loss of some visible content.
  3. Supporting CDR/data sanitization for other file types, such as AutoCAD and SketchUp files.

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.