A Cyber espionage group aligned with South Korea has been linked to the exploitation of a recently patched severe remote code execution vulnerability in Kingsoft WPS Office, which has been used to deploy a custom backdoor known as SpyGlace.
Cybersecurity firms ESET and DBAPPSecurity attribute this activity to a threat actor identified as APT-C-60.
These attacks have been observed infecting users in China and East Asia with malware.
The vulnerability in question, CVE-2024-7262 (CVSS score: 9.3), arises from inadequate validation of user-supplied file paths. This flaw allows an attacker to upload an arbitrary Windows library, enabling remote code execution.
ESET noted that the flaw “permits code execution by hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe” and mentioned discovering an additional method to exploit this issue, tracked as CVE-2024-7263 (CVSS score: 9.3).
APT-C-60 has exploited this vulnerability by creating a one-click exploit embedded in a malicious spreadsheet document, which was uploaded to VirusTotal in February 2024. The file contains a deceptive image of the spreadsheet’s content, with a hidden malicious link. Clicking on a cell within this image initiates a multi-stage infection process to deploy the SpyGlace trojan, a DLL file named TaskControler.dll, which includes capabilities for file theft, plugin loading, and command execution.
Security researcher Romain Dumont explained, “The exploit developers embedded an image of the spreadsheet’s rows and columns to trick users into believing the document was ordinary. The malicious hyperlink was attached to this image, so interacting with a cell in the picture would activate the exploit.”
APT-C-60 has been active since at least 2021, with SpyGlace sightings dating back to June 2022, according to ThreatBook, a Beijing-based cybersecurity firm.