Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Experts have revealed the mechanism of remote code execution through office software.
A South Korean cyberespionage group known as APT-C-60 has recently been linked to exploiting a critical zero-day vulnerability in the WPS Office office suite. This vulnerability allows attackers to remotely execute code and inject malware dubbed SpyGlace.
Research conducted by ESET and DBAPPSecurity showed that the attacks targeted users from China and other East Asian countries. The vulnerability, identified as CVE-2024-7262 with a CVSS base score of 9.3, is related to improper validation of user-provided file paths. This opened up the possibility of loading an arbitrary Windows library and executing remote code.
APT-C-60 has developed an exploit that exploits this vulnerability in the form of a malicious table file. This file was uploaded to VirusTotal in February 2024 and contained a link that, when activated, would trigger a multi-layered infection process leading to the installation of the SpyGlace Trojan. The malicious file was disguised as a regular document, which made it easy to deceive the user.
The APT-C-60 group has been active since 2021, and the SpyGlace malware was first spotted in June 2022. According to ThreatBook, the exploit required in-depth knowledge of the internal workings of WPS Office and the peculiarities of booting Windows. The exploit itself is so convincing that it can fool even experienced users.
Kingsoft, the company responsible for the development of WPS Office, announced that it has already fixed the vulnerability in one of the latest updates. Users are urged to make sure that the software is updated to the latest version, avoid opening suspicious files, and be careful when dealing with documents from unknown sources.
The detection of this threat highlights the importance of regular software updates and caution when installing third-party plugins and applications.
Source
A South Korean cyberespionage group known as APT-C-60 has recently been linked to exploiting a critical zero-day vulnerability in the WPS Office office suite. This vulnerability allows attackers to remotely execute code and inject malware dubbed SpyGlace.
Research conducted by ESET and DBAPPSecurity showed that the attacks targeted users from China and other East Asian countries. The vulnerability, identified as CVE-2024-7262 with a CVSS base score of 9.3, is related to improper validation of user-provided file paths. This opened up the possibility of loading an arbitrary Windows library and executing remote code.
APT-C-60 has developed an exploit that exploits this vulnerability in the form of a malicious table file. This file was uploaded to VirusTotal in February 2024 and contained a link that, when activated, would trigger a multi-layered infection process leading to the installation of the SpyGlace Trojan. The malicious file was disguised as a regular document, which made it easy to deceive the user.
The APT-C-60 group has been active since 2021, and the SpyGlace malware was first spotted in June 2022. According to ThreatBook, the exploit required in-depth knowledge of the internal workings of WPS Office and the peculiarities of booting Windows. The exploit itself is so convincing that it can fool even experienced users.
Kingsoft, the company responsible for the development of WPS Office, announced that it has already fixed the vulnerability in one of the latest updates. Users are urged to make sure that the software is updated to the latest version, avoid opening suspicious files, and be careful when dealing with documents from unknown sources.
The detection of this threat highlights the importance of regular software updates and caution when installing third-party plugins and applications.
Source
