ESET researchers discovered a critical code execution vulnerability in WPS Office for Windows, known as CVE-2024-7262, which was being actively exploited by the cyberespionage group APT-C-60, aligned with South Korea. Further analysis revealed an additional vulnerability, CVE-2024-7263, which was also part of the exploitation tactics employed by APT-C-60. Following a coordinated disclosure process, both vulnerabilities have been patched, and the technical details are provided in this blog post.
The discovery of the vulnerability occurred during an investigation into APT-C-60 activities, where a suspicious spreadsheet document was found referencing one of the group’s downloader components. The vulnerability in WPS Office for Windows was exploited by APT-C-60 to target countries in East Asia using a custom backdoor named SpyGlace, publicly documented by ThreatBook as TaskControler.dll.
WPS Office, boasting over 500 million active users globally, presented a lucrative target for the cyberespionage group to reach a large audience in East Asia. The weaponized document, disguised as an MHTML export of an XLS spreadsheet, contained a hidden hyperlink that, when clicked in WPS Spreadsheet, triggered the execution of arbitrary code, leading to remote code execution.
The coordinated vulnerability disclosure process included several key dates from the upload of the exploit document to VirusTotal to the final publication of the blog post. Kingsoft, the developer of WPS Office, acknowledged and addressed the vulnerabilities, with CVE entries published for CVE-2024-7262 and CVE-2024-7263.
The root cause analysis of CVE-2024-7262 revealed that the vulnerability stemmed from a lack of sanitization of an attacker-provided file path and the absence of validation of the plugin being loaded. The exploit allowed for hijacking the control flow of the WPS Office plugin component, resulting in code execution. Further investigations led to the discovery of CVE-2024-7263, which exploited a similar flaw in the same WPS Office plugin component.
The exploitation of CVE-2024-7262 involved leveraging deceptive techniques, such as embedding a malicious hyperlink in a legitimate-looking spreadsheet document, to trick users into clicking and triggering the vulnerability. The impact of the vulnerability was significant, as it allowed for the delivery of malware to targeted users.
In the case of CVE-2024-7263, the exploitation involved bypassing certain validation checks to load an arbitrary library from an attacker-controlled file path. The flaw in the validation process enabled the execution of malicious code, showcasing the importance of thorough patch verification.
The affected versions of WPS Office for Windows ranged from 12.2.0.13110 to 12.1.0.16412 for CVE-2024-7262 and from 12.2.0.13110 to 12.2.0.17119 for CVE-2024-7263. Users of WPS Office are strongly advised to update to the latest version to mitigate these vulnerabilities.
The blog post also provided IoCs, network information, and MITRE ATT&CK techniques related to the exploitation of the vulnerabilities, offering a comprehensive overview of the threat landscape. By addressing these vulnerabilities and raising awareness, ESET aims to enhance cybersecurity measures for WPS Office users and protect against potential cyber threats.