APT-C-60 leverages undisclosed vulnerabilities in WPS Office to deploy the SpyGlace backdoor, targeting East Asian users
A South Korea-aligned cyberespionage group, identified as APT-C-60, has been leveraging a zero-day code execution vulnerability in the Windows version of WPS Office to deploy the SpyGlace backdoor on targets across East Asia.
WPS Office, a popular productivity suite developed by Chinese firm Kingsoft, has over 500 million active users worldwide. The zero-day vulnerability, tracked as CVE-2024-7262, has been actively exploited since late February 2024, affecting versions from 12.2.0.13110 (August 2023) to 12.1.0.16412 (March 2024).
Kingsoft quietly patched the flaw in March without notifying users that it was being exploited in the wild. This prompted cybersecurity firm ESET, which discovered the vulnerability and the associated APT-C-60 campaign, to publish a detailed report.
The flaw, CVE-2024-7262, is linked to how WPS Office handles custom protocol handlers, specifically ‘ksoqing://,’ which permits the execution of external applications via specially crafted URLs within documents. Due to improper validation and sanitisation, attackers could craft malicious hyperlinks, leading to arbitrary code execution.
APT-C-60 exploited this vulnerability by embedding malicious hyperlinks in spreadsheet documents (MHTML files) disguised under a decoy image. When a victim clicked the link, it triggered the exploit, executing a base64-encoded command to run a specific plugin (promecefpluginhost.exe), which then attempted to load a malicious DLL (ksojscore.dll) containing the attacker’s code.
This DLL acted as a downloader, retrieving the final payload, a custom backdoor known as ‘SpyGlace,’ from the attacker’s server.
During their investigation, ESET also uncovered a second severe flaw, CVE-2024-7263, in WPS Office. This flaw emerged from an incomplete patch for CVE-2024-7262, allowing attackers to still point to malicious DLLs through improperly secured parameters.
ESET advises users of WPS Office to update to the latest release, at least version 12.2.0.17119, to address both vulnerabilities
