South Korean Hackers Exploit Two Zero-Day Flaws In WPS Office

Cybersecurity firm ESET Research discovered two critical zero-day vulnerabilities in WPS Office for Windows, which were exploited by a South Korea-aligned cyberespionage group, APT-C-60, to deliver malware to users in China.

Developed by Zhuhai-based Chinese software firm Kingsoft, WPS Office is a popular office productivity suite, especially in East Asian regions. It has more than 500 million active users worldwide.

ESET Research discovered the first critical zero-day, identified as CVEโ€”2024?-?7262 (CVSS score: 9.3), during an investigation into APT-C-60โ€™s activities. They found a strange spreadsheet document linked to the hacking groupโ€™s downloader components.

Further analysis by ESET led to the discovery of a code execution vulnerability in WPS Office for Windows that was being exploited in the wild by APT-C-60 to install the custom โ€œSpyGlaceโ€ backdoor, also known as TaskControler.dll, to target East Asian countries.

This flaw stemmed from the lack of sanitization of an attacker-provided file path and the lack of validation of the plugin being loaded. Leveraging this vulnerability allowed code execution via hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe.

APT-C-60 created malicious spreadsheet documents disguised as standard MHTML exports of Microsoft Excel (XLS) files. These documents contained hidden hyperlinks designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet application.

โ€œTo exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,โ€ explained ESET researcher Romain Dumont, who analyzed the flaw.

โ€œWhen opening the spreadsheet document with the WPS Spreadsheet application, the remote library is automatically downloaded and stored on disk,โ€ the researcher added.

โ€œSince this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheetโ€™s rows and columns inside the spreadsheet in order to deceive and convince the user that the document is a regular spreadsheet.โ€

According to ESET, WPS Office developer Kingsoft silently patched the zero-dayย bug in question (CVE-2024-7262) when it released version 12.1.0.16412.ย However, during the patch analysis, ESET researchersย discovered that Kingsoft hadnโ€™t fully remediated the issue.

During the patch analysis for CVE-2024-7262, ESET researchers discovered a second severe vulnerability, CVE-2024-7263 (CVSS score of 9.3), that could enable hackers to exploit it via improper input validation.

ESET Research reported both vulnerabilities to Kingsoft, which acknowledged them and has now been patched by the WPS Office. The affected versions of WPS Office for Windows range from 12.2.0.13110, which was released around August 2023, until the release of the patched version 12.2.0.17119 at the end of May 2024.

To mitigate these risks, ESET strongly recommends all users of WPS Office for Windows to update their software to the latest release immediately.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

Read More

Suggested Post