South Korean Spies Exploit WPS Office Zero-Day

ESET has revealed a new cyber-espionage campaign linked to a South Korean APT in which a novel remote code execution (RCE) vulnerability in WPS Office for Windows was exploited to deploy a custom backdoor.

Traced to the Seoul-aligned APT-C-60 group, the campaign targeted victims in East Asia with the “SpyGlace” backdoor, which is loaded with cyber-espionage capabilities.

Victims were persuaded to click on a legitimate-looking WPS Office for Windows spreadsheet, triggering the exploit. WPS Office has hundreds of millions of active users worldwide, especially in East Asia, ESET said.

The document itself was an MHTML export of the more common XLS spreadsheet format, booby-trapped with a hidden hyperlink designed to trigger the execution of an arbitrary library if clicked while using the WPS Spreadsheet app.

Read more on WPS Office threats: China-Aligned APT Group Blackwood Unleashes NSPX30 Implant

MHTML allows a file to be downloaded as soon as the document is opened, thus supporting RCE, ESET explained.

“To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,” explained ESET researcher Romain Dumont.

“When opening the spreadsheet document with the WPS Spreadsheet application, the remote library is automatically downloaded and stored on disk.”

Whomever developed the exploit embedded a picture of the spreadsheet’s rows and columns to make it appear legitimate. The malicious hyperlink was linked to the image so that clicking on a cell in the picture would trigger the exploit, ESET said.

The zero-day bug in question (CVE-2024-7262) was silently patched by WPS Office developer Kingsoft, according to ESET. However, the researchers discovered that it hadn’t fully remediated the issue, and found a subsequent vulnerability (CVE-2024-7263) which could enable hackers to achieve the same ends via improper input validation.

ESET claimed that Chinese-based DBAPPSecurity has independently published an analysis of the weaponized vulnerability and concluded that APT-C-60 exploited it to deliver malware to users in China.

Image credit: rafapress / Shutterstock.com