Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

WPS Office Zero-Day Exploited by South Korea-Linked Cyberspies

A WPS Office zero-day vulnerability tracked as CVE⁠-⁠2024⁠-⁠7262 was exploited by South Korean hacker group APT-C-60.

South Korea WPS Office zero-day

A zero-day vulnerability in WPS Office has been exploited by a hacker group linked to South Korea to deliver malware, according to cybersecurity firm ESET.

The threat actor is tracked as APT-C-60 and the zero-day is identified as CVE⁠-⁠2024⁠-⁠7262. ESET has described APT-C-60 as a “South Korea-aligned cyberespionage group”.

The exploit, which allows remote code execution, has been used to deliver a custom backdoor named SpyGlace to targets in East Asia.  

Chinese cybersecurity firm DBAPPSecurity recently published its own analysis of the WPS Office vulnerability after determining that it had been exploited to deliver malware to users in China.

SecurityWeek has seen several reports from Chinese companies and government agencies on APT-C-60, which is tracked in the country as Pseudo Hunter. Some of these reports link the APT to South Korea. 

According to a ThreatBook report from late 2022, APT-C-60 has also targeted entities in South Korea. 

ESET reported on Wednesday that a malicious document set up to exploit CVE-2024-7262 was uploaded to VirusTotal in late February. The attackers created harmless-looking spreadsheets set up to trigger the exploit when the targeted user clicked on a cell. 

Advertisement. Scroll to continue reading.

According to ESET, WPS Office developer Kingsoft silently patched the zero-day in March 2024, when it released version 12.1.0.16412. Versions of the software released since August 2023 were impacted, but only on Windows. 

During its analysis of CVE-2024-7262, ESET discovered that Kingsoft had only addressed part of the faulty code and the vulnerability was still exploitable. The vendor then released a patch for this second issue, which is tracked as CVE-2024-7263.

WPS Office is a popular office suite, with more than 500 million active users worldwide, according to the official website. This can make it a valuable target for exploit developers. 

ESET has provided technical details, as well as indicators of compromise (IoCs), for the APT-C-60 attacks. 

Related: Malware Delivered via Malicious Pidgin Plugin, Signal Fork

Related: China’s Volt Typhoon Hackers Caught Exploiting Zero-Day in Servers Used by ISPs, MSPs

Related: China-Linked ‘Velvet Ant’ Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights