Summary:
ESET researchers discovered a remote code execution vulnerability (CVE-2024-7262) in WPS Office for Windows, which was actively exploited by the South Korea-aligned cyberespionage group APT-C-60. This group targeted users in East Asian countries, leveraging the vulnerability to deploy a custom backdoor named "SpyGlace" by ESET, designed for cyberespionage purposes. During their investigation, ESET identified a second vulnerability (CVE-2024-7263) linked to the same underlying issue. Both vulnerabilities have since been patched following a coordinated disclosure process. However, before the patches were released, APT-C-60 exploited the vulnerabilities to deliver malware to users, specifically in China, as confirmed by an independent analysis from DBAPPSecurity.

The attack involved the use of a malicious MHTML document disguised as an XLS spreadsheet. This document contained a specially crafted hidden hyperlink that, when clicked, triggered the execution of a remote library through the WPS Spreadsheet application. The unconventional use of the MHTML format allowed for automatic downloading and execution of the malicious library as soon as the document was opened, enabling remote code execution on the victim’s system. To make the attack more convincing, the attackers embedded an image of spreadsheet rows and columns within the document, with the malicious hyperlink linked to the image. This tricked users into believing the document was a standard spreadsheet, leading them to inadvertently trigger the exploit by clicking on what appeared to be a normal spreadsheet cell.

Security Officer Comments:
ESET researcher Romain Dumont noted that exploiting this vulnerability required detailed knowledge of the application’s internals and the Windows loading process. Despite Kingsoft, the developer of WPS Office, releasing a patch, ESET found that the initial fix was inadequate, allowing for continued exploitation through improper input validation. ESET reported both vulnerabilities (CVE-2024-7262 and CVE-2024-7263) to Kingsoft, who then acknowledged and patched them.

Suggested Corrections:
ESET strongly advises all users of WPS Office for Windows to update to the latest version to protect against these vulnerabilities.


Link(s):
https://www.helpnetsecurity.com/2024/08/28/cve-2024-7262-cve-2024-7263/