Recently,ESETSecurity researchersexposeSouth Korean cyber espionage organizationAPT-C-60utilizeWPS Office WindowsVulnerabilities in the version, targeting the East Asian regionAmong usersCarry out espionage activities.

During the investigation, ESE security researchers discovered that the APT-C-60 network hacking group, which is related to South Korea, exploited a zero day code execution vulnerability in the Windows version of WPS Office（CVE-2024-7262Vulnerabilities and CVE-224-7263 can be exploited through malicious URLs to execute external applications in documents.WPS OfficeImproper handling of custom protocol handlers allows attackers to exploit malicious intentURLExecute external applications in the document. CVE-224-7263 is due to Kingsoft software'sCVE-2024-7262Incomplete patching resulted in some parameters not being fully validated, allowing attackers to exploit the vulnerability again.

The organization created WPS documents containing malicious hyperlinks (such asDOCTheDOCXTheXLSTheXLSXThese hyperlinks are hidden under bait images, and once the user clicks on these links, a specific plugin (promecefpluginhost. exe) will be executed to load malicious contentDLLfile（ksojscore.dll）, ultimately download and executeSpyGlaceBackdoor program. Attackers useSpyGlaceBackdoor programs can achieve remote control of the victim's computer, steal sensitive information, monitor network communication, and carry out malicious activities such as data destruction. These activities pose a serious threat to the victims' business operations, data security, and personal privacy.

ESETcompany

WPS Office has a wide user base in Asia, with over 100 active users worldwidefivea hundred million The APT-C-60 attack activity this time mainly targets target systems in East Asia, especially those that useWPS OfficeOrganizations and individuals. These targets may include government agencies, enterprises, research institutions, etc., whose sensitive data becomes the main target of attackers' theft. During the investigation, Nete security researchers discovered these two vulnerabilities and contacted Kingsoft. Kingsoft fixed these vulnerabilities in subsequent versions, but did not publicly disclose the wild exploitation of CVE-224-7262 in the initial stage. Due to the increased risk of further exploitation caused by the wild exploitation of this vulnerability, ESE ultimately decided to publish a blog post to warn users.

ESE is a globally renowned computer security software company headquartered in Bratislava, Slovakia, founded in 1992. In English, RESET can be understood asEssential Solution Against Evolving Threats(Essential solution for virus evolution). Its main business scope is Internet security products, and its most famous products areNOD32Antivirus software. Dedicated to cybersecurity research, with a global presencethirteenA research and development center and hundreds of experts. Not only for individual users, but also to provide comprehensive security solutions for enterprises, including antivirusAnti spyware softwareFirewall and other functions.

 APT-C-60utilizeWPSSecurity vulnerabilities

according toESETSaid,The mastermind behind this attack activityAPT-C-60It is a cyber espionage organization associated with South Korea, with“APT”representative“Advanced Persistent Threat”（Advanced Persistent Threat）This type of threat typically has a high degree of concealment, persistence, and targeting, and can lurk in the target network for a long time, stealing sensitive information or engaging in other malicious activities. These types of organizations often have clear intelligence gathering and target penetration capabilities, and using software vulnerabilities for espionage activities is one of their common methods.

This incident serves as a warning that the cybersecurity situation is becoming increasingly severe, and cyber espionage organizations are constantly searching for new vulnerabilities and more efficient attack methods. Any software may have security vulnerabilities. Enterprises and organizations also need to strengthen their network security construction and management, enhance their network security protection capabilities, and ensure business operations and data security. Software service providers should deploy comprehensive security measures, including firewalls, intrusion detection systems, endpoint security solutions, etc., to prevent potential security threats.

For ordinary users, it is still necessary to remain vigilant when using popular office software, regularly update office software and other commonly used software to obtain the latest security patches and protection features. For documents and links from unknown sources, users should remain highly vigilant and avoid opening or clicking on them at will to prevent potential security threats.