A South Korea-aligned cyber espionage has been linked to the zero-day exploitation of a now-patched important distant code execution flaw in Kingsoft WPS Workplace to deploy a bespoke backdoor dubbed SpyGlace.
The exercise has been attributed to a risk actor dubbed APT-C-60, based on cybersecurity corporations ESET and DBAPPSecurity. The assaults have been discovered to contaminate Chinese language and East Asian customers with malware.
The safety flaw in query is CVE-2024-7262 (CVSS rating: 9.3), which stems from a scarcity of correct validation of user-provided file paths. This loophole primarily permits an adversary to add an arbitrary Home windows library and obtain distant code execution.
The bug “permits code execution through hijacking the management move of the WPS Workplace plugin part promecefpluginhost.exe,” ESET stated, including it discovered one other option to obtain the identical impact. The second vulnerability is tracked as CVE-2024-7263 (CVSS rating: 9.3).
The assault conceived by APT-C-60 weaponizes the flaw right into a one-click exploit that takes the type of a booby-trapped spreadsheet doc that was uploaded to VirusTotal in February 2024.
Particularly, the file comes embedded with a malicious hyperlink that, when clicked, triggers a multi-stage an infection sequence to ship the SpyGlace trojan, a DLL file named TaskControler.dll that comes with file stealing, plugin loading, and command execution capabilities.
“The exploit builders embedded an image of the spreadsheet’s rows and columns contained in the spreadsheet with the intention to deceive and persuade the person that the doc is an everyday spreadsheet,” safety researcher Romain Dumont stated. “The malicious hyperlink was linked to the picture in order that clicking on a cell within the image would set off the exploit.”
APT-C-60 is believed to be energetic since 2021, with SpyGlace detected within the wild way back to June 2022, based on Beijing-based cybersecurity vendor ThreatBook.
“Whether or not the group developed or purchased the exploit for CVE-2024-7262, it positively required some analysis into the internals of the applying but in addition data of how the Home windows loading course of behaves,” Dumont stated.
“The exploit is crafty as it’s misleading sufficient to trick any person into clicking on a legitimate-looking spreadsheet whereas additionally being very efficient and dependable. The selection of the MHTML file format allowed the attackers to show a code execution vulnerability right into a distant one.”
The disclosure comes because the Slovak cybersecurity firm famous {that a} malicious third-party plugin for the Pidgin messaging software named ScreenShareOTR (or ss-otr) harbored code liable for downloading next-stage binaries from a command-and-control (C&C) server, finally resulting in the deployment of DarkGate malware.
“The performance of the plugin, as marketed, consists of display screen sharing that makes use of the safe off-the-record messaging (OTR) protocol. Nonetheless, along with that, the plugin incorporates malicious code,” ESET stated. “Particularly, some variations of pidgin-screenshare.dll can obtain and execute a PowerShell script from the C&C server.”
The plugin, which additionally incorporates keylogger and screenshot capturing options, has since been eliminated from the third-party plugins listing. Customers who’ve put in the plugin are beneficial to take away it with instant impact.
ESET has since discovered that the identical malicious backdoor code as ScreenShareOTR has additionally been uncovered in an app referred to as Cradle (“cradle[.]im”) that purports to be an open-source fork of the Sign messaging app. The app has been accessible for obtain for practically a yr from September 2023.
The malicious code is downloaded by working a PowerShell script, which then fetches and executes a compiled AutoIt script that finally installs DarkGate. The Linux taste of Cradle delivers an ELF executable that downloads and executes shell instructions and sends the outcomes to a distant server.
One other widespread indicator is that each the plugin installer and the Cradle app are signed with a sound digital certificates issued to a Polish firm referred to as “INTERREX – SP. Z O.O.,” indicating that the perpetrators are utilizing totally different strategies to unfold malware.