Posted by Taeil Goh / March 6, 2017
This type of attack has a high success rate because most users don’t expect common file types to contain infections.
Microsoft Office documents and PDF are both well-known document formats for document-borne malware. However, they're not the only types of files used by attackers. Particularly outside the U.S., JTD and HWP documents can be used in targeted attacks.
JTD and HWP Files in Japan and South Korea
HWP (Hangul Word Processor from HANCOM Office suite) and JTD (Ichitaro Word Processing from JustSystems) are widely used file formats in South Korea and Japan respectively. These documents can be exploited just like Microsoft Office documents because they have similar capabilities. Both file formats can contain the exploitable objects described above.
It is common knowledge that the South Korean government uses the Hancom Office suite, Hanword to be specific, and therefore regularly uses HWP files to distribute information. However, this may leave government agencies exposed to advanced attacks.
Since not a lot of anti-malware solutions have focused on detecting malicious HWP files, they provide an easier target for advanced attacks. Because these kinds of files are not used very much outside of their localized markets, fewer anti-malware vendors see a need to support them.
These kinds of attacks are actually happening more and more frequently in South Korea and Japan, since both are big markets and use dedicated, localized software which has a low presence in outside markets.
Here are some examples of recent attacks:
- 2017 (HWP): Targeted malware campaign against South Korean users
- 2017 (HWP): South Korea Department of Defense is hacked
- 2015 (JTD): Blue Termite APT
- 2015 (JTD): EMDIVI
- 2014 (JTD): Operation CloudyOmega
- 2013 (JTD): Ichitaro zero-day attack
OPSWAT Metadefender Now Supports JTD and HWP Data Sanitization (CDR)
OPSWAT is committed to preventing any potential threats regardless of market size. That's why OPSWAT has released Metadefender support (beta version) for sanitizing JTD/HWP files via Metadefender Core. Very few security vendors can protect from threats hidden in these file formats.
Here is a demonstration of HWP-borne malware before and after data sanitization (CDR).
HWP malware that was used for the 2017 targeted malware campaign against South Korean users:
Visible content is not lost after sanitization. This is important because we do not sanitize only malicious content that we detect via Metadefender's multi-scanning technology, but also benign content with no detected malware.
HWP files sanitized
A similar example for JTD documents:
|Before Data Sanitization||After Data Sanitization|
Click images for scan results
How OPSWAT Metadefender Data Sanitization (CDR) Can Prevent Such Attacks
Data sanitization, also known as Content Disarm and Reconstruction (CDR), prevents any malicious content (including zero-day threats) from executing by removing all exploitable content from a file. High-risk files can be sanitized through several different methods:
Behind the Scenes: Always Bet on Metadefender
I made a bet with OPSWAT's CEO and founder, Benny Czarny, that Metadefender could support JTD/HWP data sanitization. As you have surely guessed by now, I won the bet – and a bottle of Scotch whisky (Glenlivet 18-year, to be precise) that I will enjoy for a while!
I collect my winnings from Benny
Upcoming Improvements to Metadefender's Data Sanitization
OPSWAT still has a lot of work remaining, and here is what we are planning for our data sanitization (CDR) functionality:
- Supporting other types of office document files from Hancom Office suite and JustSystems. This requires testing with a lot bigger sample sets than we currently have. If you have any samples you would like to share, please contact OPSWAT support.
- Currently, some visible content will be lost during the CDR process for HWP and JTD files. We will continue researching to preserve as much visible content as possible without bypassing exploitable content. For now, users may experience the loss of some visible content.
- Supporting CDR/data sanitization for other file types, such as AutoCAD and SketchUp files.