ESET researchers have discovered two critical zero-day vulnerabilities in WPS Office for Windows, exploited by the APT group APT-C-60, a cyberespionage group aligned with South Korea. These vulnerabilities allow attackers to execute malicious code and deploy malware on targeted systems in East Asia. One flaw, identified as CVE-2024-7262, involves improper sanitization of file paths in WPS Office’s plugin component, enabling attackers to hijack the application and execute a custom backdoor named SpyGlace, also known as TaskControler.dll, to deliver malware.
APT-C-60 utilizes the MHTML file format, which embeds HTML, CSS, and JavaScript in a single archive. This method allows attackers to hide a hyperlink within the document that, when clicked, triggers remote code execution by downloading a malicious library. The attack leverages WPS Office’s ksoqing protocol handler to execute external applications via crafted URLs. A second vulnerability, CVE-2024-7263, was uncovered during patch analysis for the first flaw. This also enables code execution, but through a different logic flaw in the same plugin component.
The vulnerability stems from improper handling of command line arguments in WPS Office, allowing attackers to bypass security checks and load malicious libraries. This flaw has been exploited in the wild, mainly in East Asia, and highlights the importance of comprehensive patching. Despite initial fixes, ESET found that the patch for CVE-2024-7262 was incomplete. Kingsoft has since addressed both vulnerabilities and urged users to update to the latest version. The affected versions range from 12.2.0.13110 to 12.2.0.17119. WPS Office’s large user base makes it a prime target for attacks.
