Introduction
A new cyber espionage campaign, allegedly aligned with South Korean interests, has come to light, exploiting critical vulnerabilities in the popular office suite, Kingsoft WPS Office. The primary target of this campaign appears to be users in China and East Asia, with a sophisticated attack designed to deploy a custom backdoor known as SpyGlace. The attack leverages a zero-day vulnerability that has since been patched, but not before causing significant damage. This article delves into the nature of the vulnerabilities, the tactics used by the threat group APT-C-60, and the wider implications of the attack.
APT-C-60 and the Exploited Vulnerabilities
The cyber espionage group APT-C-60 has been linked to the exploitation of two critical vulnerabilities within Kingsoft WPS Office. These flaws, tracked as CVE-2024-7262 and CVE-2024-7263, both carry a severity score of 9.3 on the CVSS scale, underscoring their high risk. The primary flaw stems from insufficient validation of file paths provided by users, which opens the door for attackers to upload malicious Windows libraries and achieve remote code execution.
The attackers weaponized these vulnerabilities by developing a one-click exploit. This method was hidden within a seemingly harmless spreadsheet uploaded to VirusTotal in early 2024. The spreadsheet contained a malicious link embedded in an image that mimicked the spreadsheet’s grid, convincing users that they were interacting with a legitimate document. Once clicked, the link triggered a multi-stage infection that deployed the SpyGlace backdoor, a malicious DLL file known as TaskControler.dll.
The SpyGlace Backdoor: Stealth and Deception
SpyGlace is a sophisticated backdoor with various malicious capabilities, including file theft, plugin loading, and remote command execution. Its stealthy nature and the deceptive tactics used in its delivery make it a potent weapon. By embedding the malicious hyperlink in an image that appeared as part of a spreadsheet, the attackers were able to fool users into executing the exploit unknowingly.
APT-C-60, which has been active since 2021, is believed to have been using SpyGlace in the wild as early as June 2022. The group’s ability to exploit vulnerabilities within the WPS Office platform suggests an advanced understanding of both the software's internals and the Windows operating system’s library loading mechanisms.
Broader Campaign: Attacks Beyond WPS Office
In addition to exploiting vulnerabilities in WPS Office, the APT-C-60 group has also been linked to other attacks involving malicious software plugins. One such instance involved the Pidgin messaging application, where a third-party plugin called ScreenShareOTR was found to harbor malicious code. This plugin, which claimed to offer screen-sharing functionality using the Off-The-Record (OTR) messaging protocol, instead downloaded next-stage binaries from a command-and-control (C&C) server, eventually delivering the DarkGate malware.
Further investigation revealed that a similar backdoor was embedded in another application known as Cradle, a supposed open-source fork of the popular Signal messaging app. The malicious code in this app was distributed via a PowerShell script that downloaded and executed an AutoIt script, installing DarkGate. The Linux version of the Cradle app executed similar commands, indicating the cross-platform nature of the threat.
Malicious Code Signed with Valid Certificates
A key feature of these attacks is the use of legitimate digital certificates. The installers for both the ScreenShareOTR plugin and the Cradle app were signed with a certificate issued to a Polish company, "INTERREX - SP. Z O.O." This indicates that the attackers are using sophisticated methods to mask their activities and spread malware through seemingly trustworthy software.
Conclusion
The cyber espionage activities linked to APT-C-60 reveal a highly organized and technically adept threat group. Their exploitation of zero-day vulnerabilities in widely-used software like WPS Office, combined with the use of legitimate digital certificates and deceptive techniques, highlights the ongoing risks faced by users worldwide. While patches have been issued to fix these vulnerabilities, the breadth of the attacks underscores the need for continued vigilance, improved software security practices, and prompt updating of vulnerable systems to prevent future exploits.
0 Comments