SophosLabs researchers dissect PlugX Trojan targeting users in Japan

SophosLabsmalware

Trojan horse. Image courtesy of ShutterstockOur threat experts at SophosLabs have analyzed a new Trojan in the PlugX family seeking to exploit a vulnerability in Ichitaro, a word processing software popular in Japan, that allows a hacker to take control of your computer.

Although it’s not yet clear why the PlugX malware writers are targeting a relatively small number of Ichitaro users, our researchers have been tracking PlugX and its related variants for some time. And we can draw some important lessons from this recent attack.

The Trojan arrives as an attachment in messages claiming to contain “personnel info” and asks recipients to “please check it,” and open the attachment. If you open the attachment it delivers a payload that contacts a malicious domain for instructions.

plugx-ichitaro-email-500

The software vendor, Justsystems, has made a patch available. If you’re an Ichitaro user, you should patch this vulnerability immediately. You can see the security bulletin from Justsystems here (in Japanese).

Dissecting PlugX

As our expert blogger Paul Ducklin points out at Naked Security, we’ve only seen a few examples of this version of PlugX exploiting the Ichitaro vulnerability, so it’s hard to understand the malware creators’ motives. On the other hand, Paul says, this is a good reminder that even systems and software we don’t normally associate with malware attacks can, and will, be targeted.

For a more detailed explanation of what we know about PlugX and how it works, you should read Paul’s post: From the Labs: New PlugX variant takes aim at Japan. And be sure to check out the technical papers from SophosLabs Principal Researcher Gabor Szappanos on the PlugX family: Version 6.0 and another version called Smoaler.

Keep up with SophosLabs

Our SophosLabs threat researchers are some of the best minds in the security industry. To stay up to speed with their cutting-edge research, read our award-winning Naked Security blog, and follow them on Twitter, Facebook and YouTube.

2 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s