Cyber espionage group exploits WPS Office vulnerability

The APT-C-60 espionage group, has been actively exploiting a critical vulnerability in Kingsoft WPS Office plugin to deploy a backdoor known as SpyGlace.

WPS Office is a free, all-in-one office suite developed by Kingsoft Corporation. It includes tools for word processing (WPS Writer), spreadsheets (WPS Spreadsheet), presentations (WPS Presentation), and PDF editing.

The exploited vulnerability, tracked as CVE-2024-7262 (CVSS score varies from 7.8 to 9.3), arises from inadequate validation of user-provided file paths, allowing attackers to upload arbitrary Windows libraries and achieve remote code execution (RCE). The flaw exists in WPS Office due to insufficient validation of file paths, which enables attackers to execute arbitrary code by hijacking the control flow of the WPS Office plugin component, promecefpluginhost.exe.

A second related vulnerability, CVE-2024-7263 (CVSS score varies from 7.8 to 9.3), was identified, offering another path to achieve the same level of RCE.

APT-C-60 uses a one-click exploit disguised as a rigged spreadsheet document. This document, discovered on VirusTotal in February 2024, contains a malicious link embedded in an image of spreadsheet rows and columns. Clicking on any part of this image triggers a multi-stage infection process, leading to the deployment of the SpyGlace trojan.

The attackers embedded a visual representation of spreadsheet cells inside the document to deceive the user into thinking it is a standard file. The actual exploit is activated when the user interacts with this image.

Users are strongly advised to update WPS Office to the latest version, although the vendor has not declared which if any version has remedied the vulnerabilities. The CVE-2024-7262 was apparentlyu silently patched by WPS Office developer Kingsoft, according to ESET.