A WPS Office zero-day vulnerability tracked as CVE-2024-7262 was exploited by South Korean hacker group APT-C-60.
A zero-day vulnerability in WPS Office has been exploited by a hacker group linked to South Korea to deliver malware, according to cybersecurity firm ESET.
The threat actor is tracked as APT-C-60 and the zero-day is identified as CVE-2024-7262. ESET has described APT-C-60 as a “South Korea-aligned cyberespionage group”.
The exploit, which allows remote code execution, has been used to deliver a custom backdoor named SpyGlace to targets in East Asia.
Chinese cybersecurity firm DBAPPSecurity recently published its own analysis of the WPS Office vulnerability after determining that it had been exploited to deliver malware to users in China.
SecurityWeek has seen several reports from Chinese companies and government agencies on APT-C-60, which is tracked in the country as Pseudo Hunter. Some of these reports link the APT to South Korea.
According to a ThreatBook report from late 2022, APT-C-60 has also targeted entities in South Korea.
ESET reported on Wednesday that a malicious document set up to exploit CVE-2024-7262 was uploaded to VirusTotal in late February. The attackers created harmless-looking spreadsheets set up to trigger the exploit when the targeted user clicked on a cell.
According to ESET, WPS Office developer Kingsoft silently patched the zero-day in March 2024, when it released version 12.1.0.16412. Versions of the software released since August 2023 were impacted, but only on Windows.
During its analysis of CVE-2024-7262, ESET discovered that Kingsoft had only addressed part of the faulty code and the vulnerability was still exploitable. The vendor then released a patch for this second issue, which is tracked as CVE-2024-7263.
WPS Office is a popular office suite, with more than 500 million active users worldwide, according to the official website. This can make it a valuable target for exploit developers.
ESET has provided technical details, as well as indicators of compromise (IoCs), for the APT-C-60 attacks.