GEC NEWS WIREESET researchers found a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262), which was being exploited by the South Korean-aligned APT-C-60 group to target East Asia. ESET also identified a second vulnerability (CVE-2024-7263) linked to the same issue. Both vulnerabilities have been patched after a coordinated disclosure. The final payload used in the APT-C-60 attacks was a custom cyberespionage backdoor called SpyGlace.
“While investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the group’s many downloader components. The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities.
The malicious document comes as an MHTML export of the commonly used XLS spreadsheet format. However, it contains a specially crafted and hidden hyperlink designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet application. The rather unconventional MHTML file format allows a file to be downloaded as soon as the document is opened; therefore, leveraging this technique while exploiting the vulnerability provides for remote code execution.
“To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,” explains Dumont. “When opening the spreadsheet document with the WPS Spreadsheet application, the remote library is automatically downloaded and stored on disk,” he adds.
Since this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheet’s rows and columns inside to deceive and convince the user that the document is a regular spreadsheet. The malicious hyperlink was linked to the image so that clicking on a cell in the picture would trigger the exploit.
