Cybersecurity researchers have uncovered a critical remote code execution vulnerability in Kingsoft WPS Office for Windows, which is being actively exploited by the South Korean APT group known as APT-C-60. This sophisticated attack allows the deployment of the SpyGlace backdoor, raising significant concerns in the cybersecurity community.
Understanding the WPS Office Vulnerability
The vulnerability, identified as CVE-2024-7262, affects WPS Office versions from 12.2.0.13110 (released in August 2023) to 12.1.0.16412 (released in March 2024). ESET researchers report that this zero-day exploit has been in use since at least late February 2024. Kingsoft, the Chinese company behind WPS Office, quietly patched the issue in March 2024 but failed to notify customers about its active exploitation by threat actors.
The root cause of CVE-2024-7262 lies in how WPS Office handles custom protocol handlers, specifically the ksoqing:// protocol. This vulnerability allows attackers to execute arbitrary code through specially crafted URLs embedded in documents.
Exploitation Technique and SpyGlace Backdoor
APT-C-60 exploits this vulnerability by creating malicious MHTML spreadsheet files containing hidden links disguised as bait images. When unsuspecting victims click these links, they trigger the exploit chain. The attack utilizes a base64-encoded command to execute a specific plugin (promecefpluginhost.exe), which then loads a malicious DLL (ksojscore.dll). This DLL acts as a loader for the final payload – the SpyGlace backdoor.
SpyGlace, previously analyzed by Threatbook researchers, has been used by APT-C-60 in attacks targeting organizations involved in personnel training and trade. This custom backdoor provides the attackers with persistent access to compromised systems, enabling further malicious activities.
Additional Vulnerability Discovered
During their investigation, ESET researchers uncovered another vulnerability, CVE-2024-7263, which also allows arbitrary code execution in WPS Office. This flaw resulted from an incomplete fix for CVE-2024-7262, where certain parameters like CefPluginPathU8 remained insufficiently protected. Kingsoft addressed this issue in late May 2024 with version 12.2.0.17119.
Implications and Recommendations
The discovery of these vulnerabilities in WPS Office, a software package used by approximately 500 million people worldwide, highlights the critical importance of prompt security updates and transparent communication from software vendors. To mitigate the risks associated with these vulnerabilities, cybersecurity experts strongly recommend that WPS Office users update to the latest version or at least to version 12.2.0.17119, which addresses both code execution flaws.
This incident serves as a stark reminder of the ongoing threats posed by sophisticated APT groups and the need for constant vigilance in the cybersecurity landscape. Organizations and individuals alike must prioritize regular software updates, implement robust security measures, and stay informed about emerging threats to protect their digital assets effectively.