APT-C-60 Group Exploits WPS Office Vulnerability to Deploy SpyGlace Backdoor

August 28, 2024

APT-C-60, a cyber espionage group with ties to South Korea, has been exploiting a critical remote code execution flaw in Kingsoft WPS Office, leading to the deployment of a uniquely designed backdoor called SpyGlace. The flaw, identified as CVE-2024-7262 with a CVSS score of 9.3, is due to insufficient validation of user-provided file paths, which enables an attacker to upload an arbitrary Windows library and achieve remote code execution.

ESET highlighted that the bug enables code execution by hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe. The firm also discovered an alternative method to achieve the same outcome, tracked as CVE-2024-7263 with a similar CVSS score of 9.3.

APT-C-60 has weaponized this flaw into a one-click exploit that takes the form of a rigged spreadsheet document. This document was uploaded to VirusTotal in February 2024 and contains a malicious link. Upon clicking, a multi-stage infection sequence is triggered, delivering the SpyGlace trojan.

The SpyGlace trojan is a DLL file named TaskControler.dll, equipped with file stealing, plugin loading, and command execution capabilities. According to security researcher Romain Dumont, the exploit developers embedded an image of the spreadsheet's rows and columns inside the spreadsheet to trick the user into believing it's a regular document. The malicious hyperlink was linked to the image, meaning that clicking on a cell in the picture would trigger the exploit.

APT-C-60 has reportedly been active since 2021, with SpyGlace detected in the wild as early as June 2022, as per Beijing-based cybersecurity vendor ThreatBook. Dumont noted that whether the group developed or purchased the exploit for CVE-2024-7262, it required extensive research into the application's internals and an understanding of how the Windows loading process behaves.

ESET also reported that a malicious third-party plugin for the Pidgin messaging application, called ScreenShareOTR (or ss-otr), has been found to contain code responsible for downloading next-stage binaries from a command-and-control (C&C) server, leading to the deployment of DarkGate malware. This plugin, which also includes keylogger and screenshot capturing features, has since been removed from the third-party plugins list. Users who have installed the plugin are advised to remove it immediately.

Latest News

• Unprotected LLM Servers Expose Sensitive Corporate and Health Data
• Windows 'Downdate' Tool Allows Downgrade Attacks on Updated Systems
• Chinese Hacking Group Volt Typhoon Exploits Versa Director Zero-Day Vulnerability
• Google Patches Tenth Chrome Zero-Day Exploited in 2024
• Versa Networks Addresses Zero-Day Vulnerability in Director Platform