Introduction
The discovery of two critical zero-day vulnerabilities in WPS Office by ESET researchers has brought to light the persistent threats posed by advanced persistent threat (APT) groups. Specifically, the South Korea-aligned cyberespionage group, APT-C-60, has been exploiting these vulnerabilities to target users in East Asia. These attacks underscore the sophisticated methods employed by APT groups and the importance of timely software updates to mitigate potential risks.
Overview of the WPS Office Zero-Day Vulnerabilities
The two vulnerabilities, identified as CVE-2024-7262 and CVE-2024-7263, are both remote code execution (RCE) flaws. These vulnerabilities were found in the document parser and the plugin component of WPS Office, making it possible for attackers to execute arbitrary code on victim systems. Given the widespread use of WPS Office, with over 500 million active users globally, these vulnerabilities presented a significant security risk.
Timeline of Events
The following timeline was observed:
February 29, 2024
Exploit Uploaded
The exploit document for CVE-2024-7262 was uploaded to VirusTotal.
March ??, 2024
Silent Patch
Kingsoft released an update that silently patched the CVE-2024-7262 vulnerability so that the 2024-02-29 exploit no longer worked. This was determined retrospectively by analyzing all accessible WPS Office releases between March and April 2024, as Kingsoft was not especially forthcoming in providing precise details of its actions when attempting to repair this vulnerability.
April 30, 2024
Malicious Document Analysis
ESET analyzed the malicious document from VirusTotal and discovered it was actively exploiting CVE-2024-7262, which was a zero-day vulnerability at the time of the document’s initial use. The analysis also revealed that Kingsoft’s silent patch addressed only one part of the faulty code, leaving the remaining flawed code still exploitable.
May 25, 2024
ESET Notification
ESET contacted Kingsoft to report their findings. While the first vulnerability was already patched, they requested that Kingsoft create a CVE entry and/or a public statement as they had for CVE-2022-24934.
May 30, 2024
Kingsoft Acknowledgment
Kingsoft acknowledged the vulnerabilities and stated they would keep ESET updated.
June 17, 2024
Follow-Up Request
ESET requested an update from Kingsoft.
June 22, 2024
Patch Status Update
Kingsoft responded that their development team was still working on the fix and aimed to address it in the upcoming version.
July 31, 2024
Further Vulnerability Discovered
Based on later tests, ESET found that CVE-2024-7263 was silently patched. They advised Kingsoft that they had reserved and were preparing CVE-2024-7262 and CVE-2024-7263.
August 11, 2024
Independent Findings Published
The DBAPP Security team independently published its findings.
August 15, 2024
CVE Publication
CVE-2024-7262 and CVE-2024-7263 were officially published.
August 16, 2024
ESET Follow-Up
ESET asked Kingsoft for another update.
August 22, 2024
Discrepancy in Claims
Kingsoft acknowledged they had fixed CVE-2024-7263 by the end of May, which contradicted their earlier claim on 2024-06-22 that their development team was still working on it.
August 28, 2024
Final Acknowledgment
Kingsoft has acknowledged both vulnerabilities and confirmed that they have patched both. However, they have expressed no interest in publicizing the in-the-wild exploitation of CVE-2024-7262. ESET is now publishing this blog post to warn Kingsoft’s customers that they should urgently update WPS Office due to the in-the-wild exploitation and third-party disclosure of the CVE-2024-7262 vulnerability and exploit, which increase the chances of further exploitation.
Technical Details
-
CVE-2024-7262: This vulnerability was a remote code execution (RCE) flaw in the WPS Office document parser. The flaw originated from improper sanitization of file paths and inadequate validation of plugins being loaded. Exploiting this vulnerability allowed attackers to craft a malicious document, which, when opened, would execute arbitrary code on the victim's system. The attack involved the use of a malicious spreadsheet document that triggered the execution of a custom backdoor named SpyGlace, also known as TaskControler.dll.
-
CVE-2024-7263: Discovered during the patch analysis for CVE-2024-7262, this vulnerability also involved code execution via the same plugin component but exploited a different logic flaw. The issue arose from improper handling of command line arguments, allowing attackers to bypass checks and load malicious libraries without proper signature verification.
Exploitation and Impact
The vulnerabilities were actively exploited by APT-C-60, a South Korea-aligned cyberespionage group known for targeting government agencies, think tanks, and other organizations in South Korea and neighboring countries. The group leveraged these vulnerabilities to deploy malware and gain unauthorized access to sensitive information.
APT-C-60’s attack method involved the use of an MHTML file format, which allowed them to embed a hidden hyperlink within the document. When users interacted with this hyperlink, it triggered the remote execution of malicious code by downloading a library from a remote file path. The attackers exploited the ksoqing protocol handler registered by WPS Office to execute external applications via specially crafted URLs.
The exploitation of these vulnerabilities had the potential to cause severe consequences, including unauthorized access to sensitive data, installation of malware, and even complete control of compromised systems. The widespread use of WPS Office, especially in East Asia, made it a lucrative target for APT-C-60.
Response and Mitigation
Following the discovery of these vulnerabilities, ESET coordinated with Kingsoft, the developers of WPS Office, to patch the issues. Initially, CVE-2024-7262 was silently patched, but further analysis revealed that the patch was incomplete, leaving parts of the code still vulnerable. Kingsoft later addressed both vulnerabilities and urged users to update their software to the latest version to mitigate the risks associated with these exploits.
The affected versions of WPS Office for Windows ranged from 12.2.0.13110, released around August 2023, until the release of the patch at the end of May 2024 with version 12.2.0.17119. Users of WPS Office are strongly advised to update their software promptly and remain vigilant against potential phishing attempts and suspicious documents.
Conclusion
The WPS Office zero-day vulnerabilities exploited by APT-C-60 highlight the persistent dangers posed by advanced cyberespionage organizations. The sophistication and persistence of these attacks underscore the importance of maintaining up-to-date software and being vigilant against potential threats. Organizations and individuals using WPS Office must prioritize security updates and adopt best practices to protect against similar exploits in the future.
Indicators of Compromise (IOCs)
File Names
- input.htm:
MHTML-formatted WPS Spreadsheet exploit – CVE-2024-7262.
- WPS_TEST_DLL.dll:
Downloader component.
File Hashes
- Malicious document:
SHA-1: 7509B4C506C01627C1A4C396161D07277F044AC6
- Trojan downloader component:
SHA-1: 08906644B0EF1EE6478C45A6E0DD28533A9EFC29
Malicious URLs
- Remote library download URL:
http://localhost/Dll1.dll
- File path (MD5 hash):
914CBE6372D5B7C93ADDC4FEB5E964CD
Want to write a blog?
Unfold your thoughts and let your ideas take flight in the limitless realm of cyberspace. Whether you're a seasoned writer or just starting, our platform offers you the space to share your voice, connect with a creative community and explore new perspectives. Join us and make your mark!