ESET researchers analyzed two arbitrary-code-execution vulnerabilities in WPS Office (CVE-2024-7262 and CVE-2024-7263) exploited by APT-C-60 to target East Asia, including details on root-cause and weaponization. They emphasize updating WPS Office to mitigate active in-the-wild exploitation.
Keypoints
- APT-C-60 weaponized a code execution vulnerability in WPS Office for Windows (CVE-2024-7262) to target East Asian nations.
- The analysis provides a root-cause view of the vulnerability and how it was weaponized, including the use of a crafted hyperlink inside an MHTML document.
- ESET researchers uncovered an alternative exploitation path leading to CVE-2024-7263.
- Both vulnerabilities were confirmed to be actively exploited in the wild before patches were applied.
- Kingsoft/WPS Office patches were released; users are strongly advised to update to the latest version.
- The attack chain uses a custom protocol handler (ksoqing) and a remote DLL-loading mechanism via WPS components.
- IOCs and MITRE ATT&CK mappings illustrate the operational behavior and infrastructure used by APT-C-60.
MITRE Techniques
- [T1583] Domains β
APT-C-60 acquired a domain name for its C&C server. βAPT-C-60 acquired a domain name for its C&C server.β - [T1583.004] Server β
APT-C-60 acquired a server for its C&C. βAPT-C-60 acquired a server for its C&C.β - [T1608.001] Upload Malware β
APT-C-60βs next stages were uploaded to its C&C server. βAPT-C-60βs next stages were uploaded to its C&C server.β - [T1587.004] Exploits β
APT-C-60 developed or purchased an exploit for CVE-2024-7262. βAPT-C-60 developed or purchased an exploit for CVE-2024-7262.β - [T1203] Exploitation for Client Execution β
APT-C-60 exploited CVE-2024-7262 to achieve execution. βAPT-C-60 exploited CVE-2024-7262 to achieve execution.β - [T1204.001] Malicious Link β
The exploit used by APT-C-60 requires a click on a hyperlink. βThe exploit used by APT-C-60 requires a click on a hyperlink.β
Indicators of Compromise
- [SHA-1] 7509B4C506C01627C1A4C396161D07277F044AC6 β input.htm β MHTML-formatted WPS Spreadsheet exploit β CVEβ2024β7262.
- [SHA-1] 08906644B0EF1EE6478C45A6E0DD28533A9EFC29 β WPS_TEST_DLL.dll β Downloader component.
- [Domain] rammenale.com β C2 domain hosting next stages (first seen 2024-03-08).
- [IP] 162.222.214.48 β C2 server hosting next stages (first seen 2024-03-08).
- [IP] 131.153.206.231 β C2 server hosting next stages (first seen 2024-03-08).
- [File] input.htm β MHTML exploit document used to trigger CVE-2024-7262.
- [File] WPS_TEST_DLL.dll β Downloader component referenced in the payload chain.