Thought Leadership
The IT security provider ESET has discovered two security vulnerabilities in the Microsoft Office alternative WPS Office for Windows. The vulnerability CVE-2024-7262 in the Office application enabled the hacker group APT-C-60 to use an exploit to execute foreign code on its victims’ devices.
Connections to South Korea are attributed to the group. As things stand, only users in East Asian countries were affected. In China, the hackers used an exploit to infect devices with malware. The second vulnerability, CVE-2024-7263, has probably not yet been actively exploited.
Both vulnerabilities have existed since August 2023 and were closed by Kingsoft, the company behind WPS Office, in May of this year.
“Around 500 million people worldwide use WPS Office. This makes it an excellent target for cybercriminals to reach as many potential victims as possible, especially in the East Asian region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities.
This is how sneaky the hacker group was
The attack begins with a table document that has been exported from the familiar XLS format to the more exotic MHTML format. A special hyperlink is hidden in this table: the hackers integrated an image of rows and columns of the user interface and inserted it seamlessly into the document. The image contained a hyperlink that would execute any program library when clicked.
At the same time, the attackers benefited from the choice of a rather unconventional file format: MHTML allows additional data to be downloaded and saved immediately when such a file is opened. This means that as soon as the user opens the malicious file with WPS Office, they unknowingly save a program library on their computer. If the user then clicks on the image that actually contains the hyperlink, the device executes the program library. This then enables the execution of further programs, such as malware.
“The hacker group was extremely meticulous in its approach. Regardless of whether the group developed or bought the exploit for CVE-2024-7262: In either case, a certain amount of research into how the application works was just as necessary as detailed knowledge of the Windows loading process,” adds Dumont.
What is WPS Office?
WPS Office is an office package that is available for various operating systems, including Microsoft Windows, Apple iOS, MacOS and Android. The Chinese company Kingsoft Corporation develops and distributes the solution. The application has around 500 million users worldwide and offers various functions such as a program for text editing, spreadsheets and presentation creation.
ESET strongly advises users of WPS Office for Windows to update their software to the latest version.
(lb/ESET)
