South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

The most popular office software suite in China actually has two critical vulnerabilities, which allowed hackers the opportunity for remote code execution. Time to patch.

Earlier this year, a South Korean advanced persistent threat (APT) exploited a critical vulnerability in WPS Office to spy on high-level entities in China. It turned out not to be the only critical issue in the hugely popular office software.
WPS Office is a free-to-use competitor to Microsoft Office, with 600 million monthly active users as of this June. Its particularly widely adopted in its home country of China, where it enjoys an excess of 90% market share in mobile office software, and can be found across government agencies, telecommunications companies, and other major sectors. Just last week, when the service
went down for a half day
, it caused major disruptions to industry across the country.
Its ubiquity — not to mention its handling of sometimes sensitive documents — makes WPS Office an attractive target for hackers targeting Chinese organizations and individuals. Such was the case for APT-C-60 (aka Pseudo Hunter), a South Korea-aligned cyberespionage group that has previously targeted entities within Korea itself. Earlier this year, it delivered a custom backdoor dubbed SpyGlace to WPS users via an
arbitrary code execution exploit
.
According to China-based DBAPPSecurity, the aim of the campaign was to obtain
intelligence on China-South Korea relations
.
On the last day of February this year, researchers from ESET noticed a strange spreadsheet document uploaded to VirusTotal.
The spreadsheet was actually encased in an MHTML file, short for MIME encapsulation of aggregate HTML documents. MHTML is a Web archive file format used to smush all of the contents of a webpage into a single file. It can do the same for other types of content, as was the case here, where APT-C-60 used an MHTML export of a Microsoft Excel (XLS) file.
If victims opened the file, they were presented with a spreadsheet referencing the Hong Kong-based Coremail email service. Strangely, in place of normal rows and columns was an image overlay of rows and columns. A victim who tried clicking on what appeared to be a cell in fact activated the image file, which concealed a malicious link. That single click would then trigger the download of APT-C-60s malicious backdoor.
What in WPS could have allowed for such a dangerous one-click exploit?
The issue lay with promecefpluginhost.exe, a plug-in component in WPS Office for Windows that did not properly validate file paths used to load plug-ins into the program. Rather than simply load malware directly via the insecure component, APT-C-60 used a custom protocol handler registered by WPS — ksoqing://, which allows for the execution of external applications — to execute wps.exe and launch promecefpluginhost.exe, tricking it into loading its insufficiently vetted malicious code in place of a legitimate plug-in.
Tracked as CVE-2024-7262, the underlying issue was given a critical 9.3 out of 10 score on the CVSS vulnerability-severity scale. It affects WPS Office for Windows from version 12.2.0.13110 — released about a year ago — to the time of its patch back in March, with version 12.1.0.16412. That, however, isnt the end of the saga.
At some point in March, without any fanfare, WPS developer, Kingsoft, applied a twofold fix for CVE-2024-7262.
The first thing that they did is to check the signature of the library that will be loaded [by promecefpluginhost.exe] — that its their own package which is signed by the company, explains Romain Dumont, malware researcher with ESET, which
released a blog post
on the double-fix on Aug. 28. And then they tried to sanitize one of the parameters that was vulnerable, but they missed another parameter that allows the same type of vulnerability.
By the end of April, not only was CVE-2024-7262 still being actively exploited, but the other improperly sanitized parameter had not been addressed. Now tracked as CVE-2024-7263, the latter issue earned its own critical 9.3 severity rating. Dumont assesses that it was likely patched at some point during the spring.
With both critical bugs now being accounted for, Dumont urges all WPS users to patch immediately. This vulnerability is triggered by a
single
click inside of the application on the hidden hyperlink, he says. Try to keep your computer updated, and be cautious.

Last News
▸ SMBs can enhance security via Cloud in 4 ways. ◂ Discovered: 26/12/2024 Category: security	▸ Google and Facebook reassure U.K.: No snooping. ◂ Discovered: 26/12/2024 Category: security	▸ New startup offers human verification process. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel