APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor

A South Korea-aligned cyber espionage has been linked to the zero-day exploitation of a now-patched critical remote code execution flaw in Kingsoft WPS Office to deploy a bespoke backdoor dubbed SpyGlace.

The activity has been attributed to a threat actor dubbed APT-C-60, according to cybersecurity firms ESET and DBAPPSecurity. The attacks have been found to infect Chinese and East Asian users with malware.

The security flaw in question is CVE-2024-7262 (CVSS score: 9.3), which stems from a lack of proper validation of user-provided file paths. This loophole essentially allows an adversary to upload an arbitrary Windows library and achieve remote code execution.

The bug “allows code execution via hijacking the control flow of the WPS Office plugin component promecefpluginhost.exe,” ESET said, adding it found another way to achieve the same effect. The second vulnerability is tracked as CVE-2024-7263 (CVSS score: 9.3).

The attack conceived by APT-C-60 weaponizes the flaw into a one-click exploit that takes the form of a booby-trapped spreadsheet document that was uploaded to VirusTotal in February 2024.

Specifically, the file comes embedded with a malicious link that, when clicked, triggers a multi-stage infection sequence to deliver the SpyGlace trojan, a DLL file named TaskControler.dll that comes with file stealing, plugin loading, and command execution capabilities.

“The exploit developers embedded a picture of the spreadsheet’s rows and columns inside the spreadsheet in order to deceive and convince the user that the document is a regular spreadsheet,” security researcher Romain Dumont said. “The malicious hyperlink was linked to the image so that clicking on a cell in the picture would trigger the exploit.”

APT-C-60 is believed to be active since 2021, with SpyGlace detected in the wild as far back as June 2022, according to Beijing-based cybersecurity vendor ThreatBook.

“Whether the group developed or bought the exploit for CVE-2024-7262, it definitely required some research into the internals of the application but also knowledge of how the Windows loading process behaves,” Dumont said.

“The exploit is cunning as it is deceptive enough to trick any user into clicking on a legitimate-looking spreadsheet while also being very effective and reliable. The choice of the MHTML file format allowed the attackers to turn a code execution vulnerability into a remote one.”

The disclosure comes as the Slovak cybersecurity company noted that a malicious third-party plugin for the Pidgin messaging application named ScreenShareOTR (or ss-otr) harbored code responsible for downloading next-stage binaries from a command-and-control (C&C) server, ultimately leading to the deployment of DarkGate malware.

“The functionality of the plugin, as advertised, includes screen sharing that uses the secure off-the-record messaging (OTR) protocol. However, in addition to that, the plugin contains malicious code,” ESET said. “Specifically, some versions of pidgin-screenshare.dll can download and execute a PowerShell script from the C&C server.”

The plugin, which also contains keylogger and screenshot capturing features, has since been removed from the third-party plugins list. Users who have installed the plugin are recommended to remove it with immediate effect.

ESET has since found that the same malicious backdoor code as ScreenShareOTR has also been uncovered in an app called Cradle (“cradle[.]im”) that purports to be an open-source fork of the Signal messaging app. The app has been available for download for nearly a year from September 2023.

The malicious code is downloaded by running a PowerShell script, which then fetches and executes a compiled AutoIt script that ultimately installs DarkGate. The Linux flavor of Cradle delivers an ELF executable that downloads and executes shell commands and sends the results to a remote server.

Another common indicator is that both the plugin installer and the Cradle app are signed with a valid digital certificate issued to a Polish company called “INTERREX - SP. Z O.O.,” suggesting that the perpetrators are using different methods to spread malware.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.