APT-C-60, a South Korea-aligned cyber espionage group, has been exploiting a zero-day vulnerability in the Windows version of WPS Office. Attackers exploited the vulnerability to install the SpyGlace backdoor on East Asian targets. Tracked as CVE-2024-7262, the vulnerability allows an attacker to perform remote code execution.
ESET (Electronic Systems Engineering Technology) researchers have discovered and reported theCVE-2024-7262. Security researchers have identified another critical vulnerability (CVE-2024-7263) in the WPS while investigating the code execution vulnerability.
CISA acknowledged the active exploitation of CVE-2024-7262 by adding it to its Known Exploited Vulnerabilities Catalog and requesting users patch the flaw before September 24, 2024.
WPS Office is a productivity suite developed by the Chinese firm Kingsoft that lets users view and edit files such as PDFs, Word, Excel, PowerPoint, and Forms. It is available for Microsoft Windows, macOS, Linux, iOS, Android, Fire OS, and HarmonyOS. As per the reports, it has over 500 million active users worldwide.
APT-C-60 exploitation of CVE-2024-7262
CVE-2024-7262 is related to how the software manages custom protocol handlers, namely ‘ksoqing://,’ which allows the execution of external programs via carefully constructed URLs within documents. Because of improper validation and sanitization of the URLs, attackers can create malicious hyperlinks that cause arbitrary code execution.
To deceive the user into clicking on malicious hyperlinks embedded beneath a fake image and start the exploit, APT-C-60 produced spreadsheet documents (MHTML files).
One of the processed URL parameters is a base64-encoded order to run a particular plugin named promecefpluginhost.exe that tries to load a malicious DLL (ksojscore.dll) with the attacker’s code.
This DLL is the downloader component for APT-C-60, intended to retrieve TaskControler.dll, the last payload, from the attacker’s server. TaskControler.dll is a customized backdoor called “SpyGlace.”
CVE-2024-7263
The improper path validation vulnerability exists in the promecefpluginhost.exe plugin. The vulnerability may allow an attacker to perform remote code execution on the target system.
Affected Versions
CVE-2024-7262
WPS Office version ranging from 12.2.0.13110 to 12.2.0.16412 (exclusive)
CVE-2024-7263
WPS Office version ranging from 12.2.0.13110 to 12.2.0.17115 (exclusive)
Mitigation
Kingsoft has released patches for both vulnerabilities.
For more information, please refer to the WPS Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QIDs 380420 and 380422 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.wps.com/whatsnew/pc/20240422/
