A sophisticated cyberespionage campaign targeting East Asian countries has been uncovered, with the APT-C-60 group exploiting a zero-day vulnerability in WPS Office to deploy the notorious SpyGlace backdoor. This incident highlights the ongoing threat posed by zero-day vulnerabilities and the importance of timely patching for software users.
Researchers at ESET discovered the campaign, which involved a carefully crafted attack chain. APT-C-60, a cyberespionage group believed to be linked to South Korea, leveraged a previously unknown vulnerability (zero-day) in WPS Office, a popular office suite application widely used in East Asia.
The zero-day vulnerability, classified as CVE-2024-4167, resides in the WPS Office text rendering engine (ET Renderer). By exploiting this flaw, attackers could bypass security measures and execute arbitrary code on targeted systems. This granted APT-C-60 a foothold within the victim’s network, allowing them to deploy the next stage of their attack.
SpyGlace: Stealthy Backdoor for Espionage
Following the successful exploitation of the zero-day vulnerability, APT-C-60 deployed the SpyGlace backdoor onto compromised systems. SpyGlace is a well-documented malware known for its stealthy data exfiltration capabilities. Once installed, it can gather sensitive information from the victim’s machine, including:
- System information: Operating system details, hardware specifications, etc.
- User data: Documents, emails, browsing history, and other sensitive files.
- Network information: Network configuration details, potentially allowing lateral movement within the network.
Source: Security Affairs This stolen data can be used for various malicious purposes, such as:
- Corporate espionage: Stealing intellectual property and confidential business information.
- Targeted attacks: Gaining insights for future cyberattacks against the victim organization.
- Government surveillance: Gathering intelligence on targeted individuals or organizations.
The deployment of SpyGlace indicates APT-C-60’s intent to establish long-term persistence within compromised systems and conduct extensive espionage activities.
WPS Office Users Urged to Update Immediately
The discovery of this zero-day vulnerability and its exploitation by APT-C-60 underscores the critical need for users to prioritize software updates. Here’s what users need to do:
- Update WPS Office: The developers of WPS Office have released a patch (version 11.2.0.10221) that addresses the CVE-2024-4167 vulnerability. All users are strongly advised to update their WPS Office installations to the latest patched version immediately.
- Enable automatic updates: Consider enabling automatic updates within the WPS Office settings to ensure you receive future security patches promptly.
- Maintain security awareness: Employees should be trained to identify suspicious emails and attachments, a common tactic used by attackers to distribute malware.
Patching and Vigilance Are Key
The APT-C-60 campaign exploiting the WPS Office zero-day serves as a stark reminder of the ever-evolving cyber threat landscape. Zero-day vulnerabilities are particularly dangerous because there’s no known patch available at the time of exploitation. However, by staying vigilant and applying security updates promptly, organizations and individuals can significantly reduce their attack surface and mitigate the risks associated with such vulnerabilities.
Beyond Patching: Additional Considerations
While patching is crucial, it’s not the only defense against sophisticated cyberattacks. Here are some additional security measures to consider:
- Deploy layered security: Implement a combination of security solutions, including antivirus, endpoint detection and response (EDR), and intrusion detection/prevention systems (IDS/IPS), to create a multi-layered defense.
- Segment your network: Segmenting your network can limit the attacker’s ability to move laterally within the system if they gain initial access.
- Regular security assessments: Conduct regular security assessments to identify and address any vulnerabilities within your systems and infrastructure.
By implementing these recommendations and staying informed about the latest cyber threats, organizations and individuals can better protect themselves from falling prey to sophisticated cyberespionage campaigns like the one orchestrated by APT-C-60.
