ESET Uncovers Two Critical Code Execution Vulnerabilities in WPS Office, Exploited by APT-C-60

Introduction

On August 28, 2024, ESET researchers released a detailed analysis of two arbitrary code execution vulnerabilities, CVE-2024-7262 and CVE-2024-7263, affecting WPS Office for Windows. The report reveals that the South Korea-aligned cyber espionage group APT-C-60 has exploited these vulnerabilities to target individuals in East Asian countries. ESET's research has uncovered the technical nuances of these exploits, which have now been patched, but not before they were actively used in the wild.

Report Overview

The discovery began when ESET was investigating APT-C-60's activities. The group, known for targeting East Asian nations, had weaponized a code execution vulnerability in the WPS Office (CVE-2024-7262). The initial clue was a suspicious spreadsheet document linked to one of APT-C-60's downloader components. This led to identifying the vulnerability, later confirmed by DBAPPSecurity as being actively exploited.

CVE-2024-7262: This vulnerability originated from improperly sanitizing file paths and insufficient WPS Office plugin validation. The exploitation process involved a malicious MHTML-formatted spreadsheet containing a hidden hyperlink designed to execute arbitrary code when clicked. The hyperlink leveraged the "ksoqing" protocol, specific to WPS Office, to trigger the execution of an attacker-controlled library, effectively compromising the victim's system.

APT-C-60 utilized this vulnerability to deploy a custom backdoor, "SpyGlace," which allowed them to establish persistent access to the compromised systems. The exploit developers cleverly used the MHTML file format to download and store the malicious components on the targeted systems, bypassing traditional security measures.

CVE-2024-7263: During the patch analysis for CVE-2024-7262, ESET researchers discovered another vulnerability within the same WPS Office plugin. This flaw allowed attackers to hijack the plugin's control flow by manipulating command-line parameters, leading to the execution of arbitrary code. The issue arose from incomplete patching, where only some aspects of the vulnerability were addressed, leaving other attack vectors exposed.

Exploiting these vulnerabilities posed a significant threat to users of WPS Office, particularly in East Asia, where the software is widely used. With over 500 million active users globally, the potential reach of these attacks was substantial. Successful exploitation could allow attackers to gain full control of the affected systems, leading to data theft, espionage, and further malware deployment.

Insights and Analysis

ESET's coordinated disclosure process revealed the lack of transparency from Kingsoft, the developer of WPS Office. Despite being informed of the vulnerabilities, Kingsoft's responses were delayed, and the patches were silently deployed without proper public communication. This lack of disclosure heightened the risk for users unaware of the threats.

WPS Office users are strongly advised to update their software to the latest version to protect against these vulnerabilities. Additionally, organizations should consider implementing advanced threat detection solutions that can identify and block sophisticated exploits like those used by APT-C-60.

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques

References

Analysis of two arbitrary code execution vulnerabilities affecting WPS Office

ESET research uncovers a vulnerability in WPS Office for Windows (CVE-2024-7262), as it was being exploited by South Korea-aligned cyberespionage group APT-C-60 to target East Asian countries. Analysis of the vendor’s silently released patch led to the discovery of another vulnerability CVE-2024-7263).

.cls-1{fill:#0b8690;}.cls-2{fill:#053b44;}Romain Dumont

NVD - CVE-2024-7263

National Institute of Standards and Technology logo

NVD - CVE-2024-7262

National Institute of Standards and Technology logo