APT-C-60 Exploits Zero-Day Vulnerabilities in WPS Office to Install SpyGlace Backdoor

by | Aug 29, 2024 | News

APT-C-60 Exploits Zero-Day Vulnerabilities in WPS Office to Install SpyGlace Backdoor

Post Views: 167




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

The South Korea-aligned cyberespionage group, APT-C-60, has been actively exploiting a zero-day code execution vulnerability in WPS Office to install the SpyGlace backdoor on targets in East Asia. The productivity suite, developed by the Chinese firm Kingsoft, is highly popular in Asia and has over 500 million active users worldwide.

Key Details

  1. Zero-Day Vulnerability (CVE-2024-7262):

    • Discovered: Exploited in the wild since at least late February 2024.
    • Affected Versions: Versions from 12.2.0.13110 (August 2023) to 12.1.0.16412 (March 2024).
    • Patched: Silently patched by Kingsoft in March 2024 without informing customers.
    • Discovery: ESET discovered the campaign and published a detailed report.

  2. Second Severe Flaw (CVE-2024-7263):

    • Discovery: Found during investigation of APT-C-60 attacks.
    • Patched: Kingsoft patched this flaw in late May 2024 with version 12.2.0.17119.
    • Nature: Emerged as an incomplete patch of CVE-2024-7262, leaving some parameters like ‘CefPluginPathU8’ inadequately secured.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Exploit Details

  • Vulnerability Mechanism: CVE-2024-7262 involves improper validation and sanitization of custom protocol handlers, specifically ‘ksoqing://,’ allowing execution of external applications via crafted URLs within documents.
  • Attack Method: APT-C-60 embedded malicious hyperlinks in spreadsheet documents (MHTML files) hidden under decoy images. Clicking these images triggers the exploit, processing URL parameters that include a base64-encoded command.
  • Execution Flow:
    • Command executes a specific plugin (promecefpluginhost.exe).
    • Plugin loads a malicious DLL (ksojscore.dll) containing the attacker’s code.
    • DLL acts as a downloader for the final payload (TaskControler.dll), the SpyGlace backdoor.

APT-C-60's attack overviewAPT-C-60’s attack overview
Source: ESET

SpyGlace Backdoor

  • Previous Use: Analyzed by Threatbook; used by APT-C-60 in attacks on human resources and trade-related organizations.
  • Functionality: SpyGlace enables remote access and control, allowing data exfiltration and further compromise of the infected systems.

Trending: How Companies Risk Security for Compliance Comfort in Pentesting




Trending: Digital Forensics Tool: Horus

Bad Patch Vulnerability (CVE-2024-7263)

  • Nature: Incomplete patch of CVE-2024-7262.
  • Mechanism: Added validation missed some parameters, allowing continued exploitation.
  • Exploit Potential: Can be exploited locally or through a network share to host malicious DLLs.

Recommendations

  • Update WPS Office: Users are urged to update to the latest release, or at least version 12.2.0.17119, to address both CVE-2024-7262 and CVE-2024-7263.
  • Awareness and Caution: Users should be cautious about opening documents from unknown sources, especially those with embedded images or links.

Trending: Hackers Leak 2.7 Billion Records: Social Security Numbers and Addresses Compromised

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This