The South Korean cyber-espionage group, known as the Apt-C-60, recently exploited a critical zero-day vulnerability in the WPS Office software package. This vulnerability allowed the attackers to remotely execute code and introduce harmful spyware, named Spyglace.
Research conducted by ESET and dbappSec revealed that the attacks targeted users in China and other East Asian countries. The vulnerability, identified as CVE-2024-7262, scored 9.3 on the CVSS scale and was due to improper file verification, allowing the download of arbitrary Windows libraries for remote code execution.
Apt-C-60 created an exploit using this vulnerability in the form of a malicious table file. This file, uploaded to Virustotal in February 2024, contained a link that, when activated, initiated a multi-layer infection process culminating in the installation of the Spyglace trojan. The file was disguised as a regular document to deceive users easily.
The Apt-C-60 group has been active since 2021, with Spyglace first appearing in June 2022. According to ThreatBook, crafting the exploit required an in-depth understanding of WPS Office’s internal workings and Windows loading mechanisms. The exploit was so sophisticated that even experienced users could be deceived.
This incident underscores the significance of regularly updating software and exercising caution when installing third-party plugins and applications.