South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Earlier this year, a South Korean advanced persistent threat (APT) exploited a critical vulnerability in WPS Office to spy on high-level entities in China. It turned out not to be the only critical issue in the hugely popular office software.

WPS Office is a free-to-use competitor to Microsoft Office, with 600 million monthly active users as of this June. It's particularly widely adopted in its home country of China, where it enjoys an excess of 90% market share in mobile office software, and can be found across government agencies, telecommunications companies, and other major sectors. Just last week, when the service went down for a half day, it caused major disruptions to industry across the country.

Its ubiquity — not to mention its handling of sometimes sensitive documents — makes WPS Office an attractive target for hackers targeting Chinese organizations and individuals. Such was the case for APT-C-60 (aka Pseudo Hunter), a South Korea-aligned cyberespionage group that has previously targeted entities within Korea itself. Earlier this year, it delivered a custom backdoor dubbed "SpyGlace" to WPS users via an arbitrary code execution exploit.

According to China-based DBAPPSecurity, the aim of the campaign was to obtain intelligence on China-South Korea relations.

An RCE Bug in WPS Office

On the last day of February this year, researchers from ESET noticed a strange spreadsheet document uploaded to VirusTotal.

The spreadsheet was actually encased in an MHTML file, short for MIME encapsulation of aggregate HTML documents. MHTML is a Web archive file format used to smush all of the contents of a webpage into a single file. It can do the same for other types of content, as was the case here, where APT-C-60 used an MHTML export of a Microsoft Excel (XLS) file.

If victims opened the file, they were presented with a spreadsheet referencing the Hong Kong-based Coremail email service. Strangely, in place of normal rows and columns was an image overlay of rows and columns. A victim who tried clicking on what appeared to be a cell in fact activated the image file, which concealed a malicious link. That single click would then trigger the download of APT-C-60's malicious backdoor.

What in WPS could have allowed for such a dangerous one-click exploit?

Source: ESET

The issue lay with promecefpluginhost.exe, a plug-in component in WPS Office for Windows that did not properly validate file paths used to load plug-ins into the program. Rather than simply load malware directly via the insecure component, APT-C-60 used a custom protocol handler registered by WPS — ksoqing://, which allows for the execution of external applications — to execute wps.exe and launch promecefpluginhost.exe, tricking it into loading its insufficiently vetted malicious code in place of a legitimate plug-in.

Tracked as CVE-2024-7262, the underlying issue was given a critical 9.3 out of 10 score on the CVSS vulnerability-severity scale. It affects WPS Office for Windows from version 12.2.0.13110 — released about a year ago — to the time of its patch back in March, with version 12.1.0.16412. That, however, isn't the end of the saga.

A Second Bug in WPS Office

At some point in March, without any fanfare, WPS' developer, Kingsoft, applied a twofold fix for CVE-2024-7262.

"The first thing that they did is to check the signature of the library that will be loaded [by promecefpluginhost.exe] — that it's their own package which is signed by the company," explains Romain Dumont, malware researcher with ESET, which released a blog post on the double-fix on Aug. 28. "And then they tried to sanitize one of the parameters that was vulnerable, but they missed another parameter that allows the same type of vulnerability."

By the end of April, not only was CVE-2024-7262 still being actively exploited, but the other improperly sanitized parameter had not been addressed. Now tracked as CVE-2024-7263, the latter issue earned its own critical 9.3 severity rating. Dumont assesses that it was likely patched at some point during the spring.

With both critical bugs now being accounted for, Dumont urges all WPS users to patch immediately. "This vulnerability is triggered by a single click inside of the application on the hidden hyperlink," he says. "Try to keep your computer updated, and be cautious."