South Korea-linked group APT-C-60 exploited a WPS Office zero-day

South Korea-linked group APT-C-60 exploited a zero-day in the Windows version of WPS Office to target East Asian countries.

South Korea-linked group APT-C-60 exploited a zero-day, tracked as CVE⁠-⁠2024⁠-⁠7262, in the Windows version of WPS Office to deploy the SpyGlace backdoor in the systems on targets in East Asia.

WPS Office is a comprehensive office productivity suite developed by Chinese software company Kingsoft and is widely used in Asia. It provides users with a range of tools for creating, editing, and managing documents, spreadsheets, presentations, and PDFs.

According to the WPS website, WPS Office has over 500 million active users worldwide, 

ESET researchers discovered the vulnerability in WPS Office for Windows along with another way to exploit the flaw CVE-2924-7263.

 The SpyGlace backdoor was publicly detailed by ThreatBook as TaskControler.dll.

The flaw stems from improper validation and sanitization of URLs in WPS Office, allowing attackers to create malicious hyperlinks.

The root cause analysis reveals that when WPS Office for Windows is installed, it registers a custom protocol handler called ksoqing. This handler allows the execution of an external application whenever a user clicks on a URL starting with the ksoqing:// URI scheme. In Windows, this registration is done in the system registry. Specifically, the registry key HKCRksoqingshellopencommand is configured to execute a specific WPS Office executable (wps.exe) with an argument that includes the full URL. This mechanism enables the WPS Spreadsheet application to launch external applications when users interact with hyperlinks using the ksoqing protocol.

APT-C-60’s attack involves processing URL parameters that include a base64-encoded command to execute a specific plugin, leading to the loading of a malicious DLL used as a loader for the custom backdoor “SpyGlace” from the attacker’s server. SpyGlace has been used by APT-C-60 in previous attacks targeting human resources and trade-related organizations.

WPS Office

Users are strongly advised to update to the latest version of WPSOffice, at least 12.2.0.17119, to mitigate these code execution vulnerabilities. ESET highlighted the exploit’s effectiveness, noting its ability to deceive users with a legitimate-looking spreadsheet and its use of the MHTML file format to turn a code execution flaw into a remote exploit.

The researchers published a list of indicators of compromise related to APT-C-60 campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zero-day)