APT-C-60 Exploits WPS Office Vulnerabilities

PravinKarthik

2 years ago

Advertisements

Security researchers from ESET have identified two vulnerabilities in WPS Office for Windows, widely exploited by the APT-C-60 cyberespionage group, which is aligned with South Korea.

APT-C-60, known for its strategic focus on East Asian targets, exploited these vulnerabilities to infiltrate systems and deploy malware, particularly in China.

The vulnerabilities, tracked as CVE-2024-7262 and CVE-2024-7263, enable arbitrary code execution, potentially compromising millions of users, particularly in East Asia.

Advertisements

During an investigation of APT-C-60’s activities, the exploitation related to CVE-2024-7262 has been identified in which discovered a suspicious spreadsheet document linked to the group’s downloader components. Further analysis revealed that APT-C-60 had been exploiting this vulnerability in the wild, using WPS Office to deploy a custom backdoor, internally named SpyGlace, and publicly documented as TaskControler.dll.

This flaw stemmed from the improper sanitization of a file path within WPS Office’s plugin component, promecefpluginhost.exe. By leveraging this vulnerability, attackers could hijack the control flow of the software, leading to arbitrary code execution when users interacted with seemingly innocuous spreadsheet documents. The malicious documents, disguised as standard MHTML exports of Excel files, contained hidden hyperlinks capable of triggering remote code execution when clicked.

During the in-depth analysis ESET researchers uncovered another related vulnerability, CVE-2024-7263 that allowed attackers to hijack the control flow of promecefpluginhost.exe by exploiting a logic bug that permitted the loading of a malicious library from a network share.

Share this: