Cyber espionage linked to South Korea has been linked to exploiting a zero-day critical remote code execution flaw in Kingsoft WPS Office to deploy a special backdoor called SpyGlace.
The activity was attributed to the threat actor duplicated APT-C-60according to cybersecurity firms ESET and DBAPPSecurity. There were attacks found to infect Chinese and East Asian users with malware.
The security flaw in question CVE-2024-7262 (CVSS Score: 9.3) which results from a lack of proper validation of user-supplied file paths. This vulnerability essentially allows an adversary to load an arbitrary Windows library and achieve remote code execution.
“Allows code execution by hijacking the control thread of the WPS Office plugin component promecefpluginhost.exe” error, ESET saidadding it found another way to achieve the same effect. The second vulnerability is tracked as CVE-2024-7263 (CVSS score: 9.3).
The attack designed by APT-C-60 turns the flaw into a one-click exploit that takes the form of a mined spreadsheet document that was uploaded to VirusTotal in February 2024.
Specifically, the file comes with a malicious link that, when clicked, initiates a multi-step infection sequence to deliver the SpyGlace Trojan, a DLL file named TaskControler.dll that comes with file-stealing, plug-in loading, and command execution capabilities.
“The developers of the exploits embedded an image of the rows and columns of the spreadsheet into the spreadsheet to trick and convince the user that the document is a normal spreadsheet,” said Romain Dumont, a security researcher. “A malicious hyperlink was attached to an image so that clicking on a cell in the image would trigger the exploit.”
APT-C-60 is there believed be active from 2021 with SpyGlace revealed in the wild as early as June 2022, according to Beijing-based cybersecurity vendor ThreatBook.
“Whether the team developed or purchased the exploit for CVE-2024-7262, it definitely required some research into the internals of the application, as well as knowledge of how the Windows boot process behaves,” Dumont said.
“The exploit is sneaky because it’s deceptive enough to get any user to click on a legitimate spreadsheet, and it’s also very effective and reliable. Choosing the MHTML file format allowed attackers to develop a remote code execution vulnerability. .”
The disclosure comes after a Slovak cybersecurity company noted that a malicious third-party plugin for the Pidgin messaging app called ScreenShareOTR (or ss-otr) contains code responsible for downloading next-stage control-system (C&C) binaries that eventually led to deployment DarkGate malware.
“The plugin’s functionality is advertised to include screen sharing that uses the secure over-the-counter (OTR) messaging protocol. However, in addition to this, the plugin contains malicious code,” says ESET. said. “In particular, some versions of pidgin-screenshare.dll can download and execute a PowerShell script from the C&C server.”
The plugin, which also contains keylogger and screenshot capture features, has since been removed from the list of third-party plugins. Users who have installed the plugin are advised to remove it immediately.
