Skip to content

WPS Office zero-day exploited to deploy SpyGlace backdoor

  • by
  • 2 min read

Photo: photosince / Shutterstock.com

APT-C-60, a South Korea-aligned cyberespionage group, weaponised a zero-day code execution vulnerability in the WPS Office to deliver the SpyGlace backdoor targeting East Asian countries. After a coordinated disclosure process, Kingsoft patched the issue without any notice.

Tracked as CVE-2024-7262, the zero-day flaw has been actively exploited in the wild since at least the end of February 2024. It affects the Windows versions of WPS Office from 12.2.0.13110 (August 2023) to 12.1.0.16412 (March 2024). During their investigation, ESET published an analysis of the flaw and another critical vulnerability, tracked as CVE-2024-7263.

Kingsoft patched CVE-2024-7263 in May 2024 with version update 12.2.0.17119. The key to CVE-2024-7262 lies in how custom protocol handlers are treated in the software, specifically, ‘ksoqing://,’ which enables of external applications via specially crafted URLs inside documents.

Improper validation and sanitisation of these URLs let adversaries craft malicious hyperlinks, resulting in arbitrary code execution. The parameters of the processed URL include a base64-encoded command to run a plugin (promecefpluginhost.exe) that tries to load a malicious DLL (ksojscore.dll) containing the attacker’s code.

The infected DLL is APT-C-60’s downloader component, developed to fetch the final payload (TaskController.dll) from the threat group’s server, a custom backdoor termed SpyGlace.

APT-C-60 used the SpyGlace backdoor to attack human resources and trade-related organisations. The second flaw, CVE-2024-7263, was discovered as an incomplete patch of CVE-2024-7262. Kingsoft silently introduced the patch in version 12.1.0.16412 to mitigate CVE-2024-7262 by adding essential checks to ‘promecefpluginhost.exe’ and ‘ksojscore.dll’ components to verify ‘JSCefServicePath’, the attacker-controlled variable. However, the patch did not cover a similar variable (CefPluginPathU8). ESET did not observe the second flaw being actively exploited in the wild.

It is vital for WPS Office users to update to the latest version, or at least version 12.2.0.17119, to mitigate both code execution issues. The exploit uses a deception tactic to trick users into clicking on a spreadsheet that seems legitimate while being reliable and effective. The MHTML file format allowed the threat actors to transform a code execution flaw into a remote one.

In the News:VMware ESXi flaw exploited by cybercriminals in latest attacks

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>