August 28, 2024 at 10:33AM
APT-C-60, a threat actor linked to South Korea, has exploited a critical flaw in Kingsoft WPS Office to deploy a backdoor called SpyGlace. This malicious activity targeted Chinese and East Asian users using a one-click exploit in a booby-trapped spreadsheet document. The attack tactic has been active since 2021, aiming to infect victims with the SpyGlace trojan.
From the meeting notes provided, it is evident that a cyber attack involving a zero-day exploitation of a critical remote code execution flaw in Kingsoft WPS Office has been attributed to a threat actor named APT-C-60. The attack involved the deployment of a backdoor called SpyGlace, infecting Chinese and East Asian users with malware.
The specific security flaw identified is CVE-2024-7262, which allowed for arbitrary Windows library uploads and remote code execution. This flaw was exploited via a booby-trapped spreadsheet document with a malicious link triggering a multi-stage infection sequence to deliver the SpyGlace trojan.
APT-C-60, active since 2021, utilized deceptive tactics and sophisticated knowledge of application internals and Windows loading processes to execute the exploit. Additionally, a malicious third-party plugin for the Pidgin messaging application, named ScreenShareOTR, has been found to contain code responsible for downloading next-stage binaries from a command-and-control server, leading to the deployment of DarkGate malware.
It’s important to note that the malicious plugin has been removed from the third-party plugins list, and users are advised to remove it immediately.
The meeting notes highlight significant cybersecurity vulnerabilities and attacks, emphasizing the importance of proactive measures to mitigate such threats.