Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

APT

South Korea-linked group APT-C-60 exploited a WPS Office zero-day

South Korea-linked group APT-C-60 exploited a zero-day in the Windows version of WPS Office to target East Asian countries. South Korea-linked group APT-C-60 exploited a zero-day, tracked as CVE⁠-⁠2024⁠-⁠7262, in the Windows version of WPS Office to deploy the SpyGlace backdoor in the systems on targets in East Asia. WPS Office is a comprehensive office […]

WPS Office

South Korea-linked group APT-C-60 exploited a zero-day in the Windows version of WPS Office to target East Asian countries.

South Korea-linked group APT-C-60 exploited a zero-day, tracked as CVE⁠-⁠2024⁠-⁠7262, in the Windows version of WPS Office to deploy the SpyGlace backdoor in the systems on targets in East Asia.

WPS Office is a comprehensive office productivity suite developed by Chinese software company Kingsoft and is widely used in Asia. It provides users with a range of tools for creating, editing, and managing documents, spreadsheets, presentations, and PDFs.

According to the WPS website, WPS Office has over 500 million active users worldwide, 

ESET researchers discovered the vulnerability in WPS Office for Windows along with another way to exploit the flaw CVE-2924-7263.

 The SpyGlace backdoor was publicly detailed by ThreatBook as TaskControler.dll.

The flaw stems from improper validation and sanitization of URLs in WPS Office, allowing attackers to create malicious hyperlinks.

The root cause analysis reveals that when WPS Office for Windows is installed, it registers a custom protocol handler called ksoqing. This handler allows the execution of an external application whenever a user clicks on a URL starting with the ksoqing:// URI scheme. In Windows, this registration is done in the system registry. Specifically, the registry key HKCR\ksoqing\shell\open\command is configured to execute a specific WPS Office executable (wps.exe) with an argument that includes the full URL. This mechanism enables the WPS Spreadsheet application to launch external applications when users interact with hyperlinks using the ksoqing protocol.

APT-C-60’s attack involves processing URL parameters that include a base64-encoded command to execute a specific plugin, leading to the loading of a malicious DLL used as a loader for the custom backdoor “SpyGlace” from the attacker’s server. SpyGlace has been used by APT-C-60 in previous attacks targeting human resources and trade-related organizations.

WPS Office

Users are strongly advised to update to the latest version of WPSOffice, at least 12.2.0.17119, to mitigate these code execution vulnerabilities. ESET highlighted the exploit’s effectiveness, noting its ability to deceive users with a legitimate-looking spreadsheet and its use of the MHTML file format to turn a code execution flaw into a remote exploit.

The researchers published a list of indicators of compromise related to APT-C-60 campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zero-day)