APT-60 exploits the WPS Office vulnerability to introduce the SpyGlace backdoor

29 August 2024 2 minutes Author: Newsman

A cyber espionage group linked to South Korea used a zero-day vulnerability in Kingsoft WPS Office to spread the SpyGlace backdoor. The CVE-2024-7262 vulnerability, which has already been patched, allowed remote code execution, posing a serious threat to users in China and East Asia.

APT-C-60, a cyber espionage group linked to South Korea, used a zero-day vulnerability in Kingsoft WPS Office to introduce a backdoor called SpyGlace. The vulnerability, known as CVE-2024-7262, had a high threat level with a CVSS score of 9.3.  This attack was embodied in the form of a dangerous electronic document, which, when opened, launched a multi-stage infection to spread malicious software.

SpyGlace, first discovered in June 2022, has extensive capabilities, including stealing files, downloading plugins, and executing commands. Other malicious activities by APT-60 include exploiting vulnerabilities in messaging plugins and open source applications to further distribute DarkGate and other malware.

APT-60 has been active since 2021, and its activities mostly target users from China and East Asia. This group uses both homegrown and purchased exploits to achieve their goals. In addition to the CVE-2024-7262 vulnerability, it also used other critical vulnerabilities such as CVE-2024-7263 to enable its attacks. Vulnerable programs are usually disguised as normal documents or plug-ins for popular applications, which makes them especially dangerous.

Attackers continue to use sophisticated techniques to distribute malware to a wide audience. Users are strongly advised to update their software in a timely manner and to be wary of suspicious documents and applications, especially those from untrusted sources.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.