Cybersecurity has always been a cat-and-mouse game, with threat actors constantly evolving their methods to exploit vulnerabilities before they are pa
South Korean Hackers Exploit WPS Office Zero-Day to Deploy Malware
Cybersecurity has always been a cat-and-mouse game, with threat actors constantly evolving their methods to exploit vulnerabilities before they are patched. Recently, the spotlight has fallen on a sophisticated attack orchestrated by a South Korean cyberespionage group, known as APT-C-60. This group has exploited a zero-day vulnerability in the widely-used WPS Office, a productivity suite developed by the Chinese firm Kingsoft, which enjoys immense popularity, especially in Asia. The attack has raised concerns about the security of software millions rely on every day.
WPS Office and the Widespread Vulnerability
WPS Office isn't just another productivity tool; it's a significant player in the software market with over 500 million active users globally. It's particularly popular in East Asia, making it an attractive target for cybercriminals. The specific zero-day flaw, identified as CVE-2024-7262, has been active in the wild since late February 2024. This flaw affects WPS Office versions ranging from 12.2.0.13110 (released in August 2023) to 12.1.0.16412 (from March 2024).
However, instead of alerting users to the potential dangers, Kingsoft "silently" patched the vulnerability in March 2024. Unfortunately, this lack of transparency has left users at risk, prompting cybersecurity firm ESET, which discovered the ongoing campaign and the underlying vulnerability, to release a comprehensive report to inform and protect users. For those concerned about the security of their systems, especially when dealing with sensitive documents, investing in reliable antiviruses is essential.
The Exploitation by APT-C-60
APT-C-60, the cyberespionage group behind this attack, has cleverly exploited the CVE-2024-7262 flaw, which lies in the way WPS Office handles custom protocol handlers, particularly the 'ksoqing://' protocol. This protocol is designed to execute external applications via specially crafted URLs embedded within documents. Due to insufficient validation and sanitization of these URLs, attackers can create malicious hyperlinks that lead to arbitrary code execution on the victim's device.
The method used by APT-C-60 is as cunning as it is effective. They created spreadsheet documents, specifically MHTML files, embedding malicious hyperlinks disguised under a decoy image. When the victim clicks on the image, thinking it's harmless, the exploit is triggered. The processed URL parameters include a base64-encoded command designed to execute a specific plugin, 'promecefpluginhost.exe.' This plugin then attempts to load a malicious DLL file, 'ksojscore.dll,' containing the attacker's code.
This DLL serves as APT-C-60's downloader component, designed to fetch the final payload from the attacker's server. The payload, known as 'SpyGlace,' is a custom backdoor previously analyzed by Threatbook. SpyGlace has been used in attacks targeting human resources and trade-related organizations, making it a potent tool in the hands of these cybercriminals. Ensuring your system is protected against such backdoors is crucial, and antiviruses can offer a robust defense.
Kingsoft's Incomplete Patch: A Bad Fix That Left Users Vulnerable
During their investigation into APT-C-60's activities, ESET's researchers uncovered a second severe vulnerability, CVE-2024-7263. This flaw was a direct result of Kingsoft's inadequate patching of CVE-2024-7262. Instead of completely addressing the issue, Kingsoft's initial fix added validation to specific parameters but failed to secure others, such as 'CefPluginPathU8.' This oversight allowed attackers to continue exploiting the vulnerability by directing 'promecefpluginhost.exe' to load malicious DLLs.
This second flaw can be exploited locally or via a network share where the malicious DLL could be hosted, adding another layer of risk for users. While ESET did not observe any active exploitation of CVE-2024-7263 by APT-C-60 or other threat actors, the potential for future attacks remains high. Cybercriminals are always looking for gaps in security, and given enough time, they might have discovered and exploited this oversight. Users of WPS Office are strongly advised to update to the latest version, specifically 12.2.0.17119, to protect against these vulnerabilities. In addition to updating software, using reliable antiviruses is highly recommended to further safeguard against such threats.
The Sophisticated Exploit: How It Works
The exploit used by APT-C-60 is not just technically advanced but also deceptive. The use of MHTML file format allowed the attackers to transform what was initially a code execution vulnerability into a remote one. This means that the victim doesn't have to do much to fall prey to the attack—a simple click on what appears to be a legitimate spreadsheet is enough to compromise their system.
This exploit highlights the importance of maintaining up-to-date security practices and software. Even with a well-known and trusted application like WPS Office, vulnerabilities can be exploited if users do not remain vigilant. Protecting your system with up-to-date antiviruses can help mitigate these risks by detecting and neutralizing threats before they cause harm.
Indicators of Compromise (IoCs) and What to Look For
For those looking to understand the extent of APT-C-60's activities and protect their systems, ESET has published a detailed list of indicators of compromise (IoCs). These IoCs can help users and security professionals identify if their systems have been targeted or compromised by this threat. The full list of IoCs is available on ESET's GitHub repository, providing valuable information for those looking to bolster their defenses against such sophisticated attacks.
Conclusion: Stay Vigilant and Protect Your Systems
The attack on WPS Office by APT-C-60 serves as a stark reminder of the ever-present threats in the digital world. Even popular and widely-used software can harbor dangerous vulnerabilities that, if left unpatched, can be exploited by cybercriminals to devastating effect. The use of zero-day exploits, such as CVE-2024-7262, demonstrates the lengths to which attackers will go to compromise systems and steal sensitive information.
To protect yourself, it's crucial to stay informed about the latest threats and ensure that all your software is up-to-date. Additionally, using robust antiviruses can provide an extra layer of protection, helping to detect and neutralize threats before they can cause damage. As the digital landscape continues to evolve, so too must our approach to cybersecurity.
COMMENTS