WPS Office Zero-Day Exploited by South Korean Spies

0
54
WPS Office Zero-Day Exploited by South Korean Spies
WPS Office Zero-Day Exploited by South Korean Spies

ESET reports that a new cyber-espionage campaign linked to a South Korean APT was started by installing a customized backdoor through a special remote code execution (RCE) vulnerability in WPS Office for Windows

According to ESET, a new cyber-espionage campaign associated with a South Korean APT was launched using a unique remote code execution (RCE) vulnerability in WPS Office for Windows to install a customized backdoor. The campaign, traced to the Seoul-aligned APT-C-60 group, was designed to target victims in East Asia and used the highly capable “SpyGlace” backdoor. The exploit was activated by convincing victims to click on a spreadsheet that appeared authentic. WPS Office has hundreds of millions of active users globally, with a large number of users in East Asia, according to ESET.

Because HTML allows files to be downloaded immediately upon opening, it supports RCE, according to ESET. “To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,” said ESET researcher Romain Dumont. The document itself was an MHTML export of the more widely used XLS spreadsheet format, booby-trapped with a hidden hyperlink intended to trigger the execution of an arbitrary library if clicked while using the WPS Spreadsheet app.

The remote library is automatically downloaded and stored on disk when the spreadsheet document is opened with the WPS Spreadsheet application. The exploit’s creator included an image of the spreadsheet’s rows and columns to make it appear authentic. The malicious hyperlink was connected to the image so that clicking on a cell in the image would initiate the exploit, according to ESET. The zero-day bug in question (CVE-2024-7262) was silently patched by WPS Office developer Kingsoft, but the researchers found that it hadn’t completely resolved the issue and discovered a subsequent vulnerability (CVE-2024-7263) that could allow hackers to accomplish the same goals via improper input validation.

ESET claimed that Chinese-based DBAPPSecurity has independently published an analysis of the weaponized vulnerability and concluded that APT-C-60 exploited it to deliver malware to users in China. According to ESET, a new cybersecurity campaign associated with a South Korean APT was launched using a unique remote code execution (RCE) vulnerability in WPS Office for Windows to install a customized backdoor. The campaign, traced to the Seoul-aligned APT-C-60 group, was designed to target victims in East Asia and used the highly capable “SpyGlace” backdoor. The exploit was activated by convincing victims to click on a spreadsheet that appeared authentic. WPS Office has hundreds of millions of active users globally, with a large number of users in East Asia, according to ESET.

Because HTML allows files to be downloaded immediately upon opening, it supports RCE, according to ESET. “To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,” said ESET researcher Romain Dumont. The document itself was an MHTML export of the more widely used XLS spreadsheet format, booby-trapped with a hidden hyperlink intended to trigger the execution of an arbitrary library if clicked while using the WPS Spreadsheet app.

The remote library is automatically downloaded and stored on disk when the spreadsheet document is opened with the WPS Spreadsheet application. The exploit’s creator included an image of the spreadsheet’s rows and columns to make it appear authentic. The malicious hyperlink was connected to the image so that clicking on a cell in the image would initiate the exploit, according to ESET. The zero-day bug in question (CVE-2024-7262) was silently patched by WPS Office developer Kingsoft, but the researchers found that it hadn’t completely resolved the issue and discovered a subsequent vulnerability (CVE-2024-7263) that could allow hackers to accomplish the same goals via improper input validation.

ESET claimed that Chinese-based DBAPPSecurity has independently published an analysis of the weaponized vulnerability and concluded that APT-C-60 exploited it to deliver malware to users in China.

Also readTop 3 Workforce Management Companies in India You Should Know

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.

CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.