Unveiling the Threat: APT-C-60 Exploits Zero-Day Vulnerabilities in WPS Office

In the ever-evolving landscape of cybersecurity, the discovery of zero-day vulnerabilities often sends shockwaves through the tech community. Recently, ESET researchers uncovered two critical vulnerabilities in WPS Office for Windows, exploited by the advanced persistent threat (APT) group known as APT-C-60. This South Korea-aligned cyberespionage group has been actively targeting users in East Asian countries, leveraging these vulnerabilities to execute malicious code and deploy malware.

Understanding the Vulnerabilities

CVE-2024-7262: The Code Execution Flaw

The first vulnerability, identified as CVE-2024-7262, is a code execution flaw found in WPS Office’s plugin component, promecefpluginhost.exe. This vulnerability arises from a lack of proper sanitization of attacker-provided file paths and inadequate validation of the plugins being loaded.

Attackers can exploit this flaw to hijack the control flow of the application, enabling them to execute arbitrary code. The exploitation process typically involves crafting a malicious spreadsheet document. When this document is opened in WPS Office, it triggers the execution of a custom backdoor known as SpyGlace (also referred to as TaskControler.dll), which is used to deliver malware to the targeted systems.

Attack Flow and Methodology

APT-C-60 employs a sophisticated attack method utilizing the MHTML file format, a multipart archive that can include HTML, CSS, and JavaScript files. This format allows attackers to embed hidden hyperlinks within documents. When users interact with these hyperlinks, it triggers the remote execution of malicious code by downloading a library from a remote file path.

The attackers exploit the ksoqing protocol handler registered by WPS Office to execute external applications via specially crafted URLs, making the attack both stealthy and effective.

CVE-2024-7263: The Logic Flaw

The second vulnerability, CVE-2024-7263, was discovered during the patch analysis for CVE-2024-7262. This vulnerability also involves code execution via the same plugin component but exploits a different logic flaw. The issue lies in the improper handling of command line arguments, allowing attackers to bypass checks and load malicious libraries without proper signature verification.

This highlights the critical importance of comprehensive patching to address all potential exploitation vectors, as overlooking even minor flaws can lead to significant security breaches.

The Impact of WPS Office Vulnerabilities

WPS Office is widely used, boasting over 500 million active users globally, making it an attractive target for cybercriminals. The vulnerabilities have been actively exploited in the wild, primarily affecting users in East Asia. The exploitation of these vulnerabilities underscores the sophistication and persistence of APT-C-60 in targeting regional users.

Following the discovery of these vulnerabilities, ESET coordinated with Kingsoft, the developers of WPS Office, to patch the issues. However, despite the initial silent patching of CVE-2024-7262, further analysis revealed that the patch was incomplete, leaving parts of the code still vulnerable. Kingsoft has since acknowledged and addressed both vulnerabilities, urging users to update their software to the latest version to mitigate the risks associated with these exploits.

The Importance of Vigilance and Updates

The use of zero-day vulnerabilities in WPS Office by APT-C-60 serves as a stark reminder of the persistent dangers posed by advanced cyberespionage organizations. Organizations and individuals using WPS Office are strongly advised to update their software promptly and remain vigilant against potential phishing attempts and suspicious documents.

The affected versions of WPS Office for Windows range from 12.2.0.13110, released around August 2023, until the release of the patch at the end of May 2024 with version 12.2.0.17119.

Conclusion

As the digital landscape continues to evolve, so too do the tactics employed by cybercriminals. The recent discovery of zero-day vulnerabilities in WPS Office highlights the critical need for organizations to prioritize cybersecurity measures, including regular software updates and employee training on recognizing phishing attempts. By staying informed and proactive, users can better protect themselves against the ever-present threat of cyberattacks.

In an age where information is power, safeguarding that information is paramount. The vigilance of cybersecurity researchers and the swift action of software developers are crucial in the ongoing battle against cyber threats.