ESET researchers have uncovered two critical zero-day vulnerabilities in WPS Office for Windows, exploited by the advanced persistent threat (APT) group APT-C-60.
This South Korea-aligned cyberespionage group has been targeting users in East Asian countries, leveraging these vulnerabilities to execute malicious code and deploy malware.
The first vulnerability, identified as CVE-2024-7262, involves a code execution flaw in WPS Office’s plugin component, promecefpluginhost.exe.
The vulnerability arises from the lack of proper sanitization of attacker-provided file paths and inadequate validation of plugins being loaded.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
This flaw allows attackers to hijack the control flow of the application, enabling the execution of arbitrary code. The exploitation process involves crafting a malicious spreadsheet document that, when opened in WPS Office, triggers the execution of a custom backdoor named SpyGlace. This backdoor, also known as TaskControler.dll, is used to deliver malware to the targeted systems.
APT-C-60’s attack method involves using an MHTML file format, which is a multipart archive that can include HTML, CSS, and JavaScript files.
This format allows the attackers to embed a hidden hyperlink within the document. When users interact with this hyperlink, it triggers the remote execution of malicious code by downloading a library from a remote file path.
The attackers exploit the ksoqing protocol handler registered by WPS Office to execute external applications via specially crafted URLs.
The second vulnerability, CVE-2024-7263, was discovered during the patch analysis for CVE-2024-7262. This vulnerability also involves code execution via the same plugin component but exploits a different logic flaw.
The flaw lies in the improper handling of command line arguments, allowing attackers to bypass checks and load malicious libraries without proper signature verification. This vulnerability highlights the importance of comprehensive patching to address all potential exploitation vectors.
WPS Office is widely used, with over 500 million active users globally, making it a lucrative target for cybercriminals. The vulnerabilities have been exploited in the wild, primarily affecting users in East Asia.
Exploiting these vulnerabilities underscores the sophistication and persistence of APT-C-60 in targeting regional users.
Following the discovery, ESET coordinated with Kingsoft, the developers of WPS Office, to patch these vulnerabilities. Despite the initial silent patching of CVE-2024-7262, further analysis revealed that the patch was incomplete, leaving parts of the code still vulnerable.
Kingsoft has since acknowledged and addressed both vulnerabilities, urging users to update their software to the latest version to mitigate the risks associated with these exploits.
The use of zero-day vulnerabilities in the WPS Office by APT-C-60 is a clear indication of the persistent dangers presented by advanced cyberespionage organizations.
Organizations and individuals using WPS Office are strongly advised to update their software promptly and remain vigilant against potential phishing attempts and suspicious documents.
The affected versions of WPS Office for Windows range from 12.2.0.13110, released around August 2023, until the release of the patch at the end of May 2024 with version 12.2.0.17119.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial