Full Report
Demystifying CVE-2024-7262 and CVE-2024-7263
Analysis Summary
# Vulnerability: Arbitrary Code Execution in WPS Office via Malicious Document
## CVE Details
- CVE ID: CVE-2024-7262, CVE-2024-7263
- CVSS Score: Not explicitly stated, but context implies **High Severity** due to in-the-wild exploitation leading to Remote Code Execution (RCE).
- CWE: Not explicitly stated, but relates to improper input validation or handling of file formats leading to execution.
## Affected Systems
- Products: WPS Office for Windows
- Versions: Specific vulnerable versions are not detailed, but the advisory implies versions prior to undisclosed patch releases in March/May 2024.
- Configurations: Vulnerability triggered by opening a specially crafted MHTML export file (containing a hidden, malicious hyperlink) using the WPS Spreadsheet application.
## Vulnerability Description
The vulnerabilities reside within WPS Office for Windows and allow for arbitrary code execution. CVE-2024-7262 was actively exploited in the wild by threat group APT-C-60. The exploit uses an MHTML file format (used as an XLS spreadsheet export) containing a crafted and hidden hyperlink. When this document is opened in WPS Spreadsheet, the MHTML format allows for file download, and the subsequent hyperlink click triggers the execution of an arbitrary library, leading to Remote Code Execution (RCE). A secondary flaw (CVE-2024-7263) was discovered through root cause analysis of the first vulnerability.
## Exploitation
- Status: **Exploited in the wild** (CVE-2024-7262 by APT-C-60, targeting East Asian countries).
- Complexity: **Low** (Requires user interaction—clicking a hyperlink embedded in a seemingly harmless document).
- Attack Vector: **Network** (Delivery via a malicious document).
## Impact
- Confidentiality: High (Leads to installation of backdoor, SpyGlace/TaskControler.dll)
- Integrity: High (Arbitrary code execution allows full system compromise)
- Availability: High (Depending on subsequent malware actions, full system impact possible)
## Remediation
### Patches
- **CVE-2024-7262 and CVE-2024-7263 are reported as patched** by Kingsoft/WPS. Users must install the latest available version of WPS Office for Windows. (Specific version numbers are not provided in the source document).
### Workarounds
- Users should exercise extreme caution when opening MHTML or spreadsheet files received from untrusted sources.
- Vendor initially patched CVE-2024-7262 silently around March 2024, but a remaining flawed component required a fix for CVE-2024-7263, which was later patched by the end of May 2024.
## Detection
- **Indicators of Compromise (IoCs):**
- Malicious Exploit File (SHA-1): `7509B4C506C01627C1A4C396161D07277F044AC6` (Detected as HTML/Agent.HQ)
- Downloader Component (SHA-1): `08906644B0EF1EE6478C45A6E0DD28533A9EFC29` (Detected as Win32/TrojanDownloader.Agent.HRP)
- C&C IP Addresses: `162.222.214[.]48`, `131.153.206[.]231`
- **Detection methods and tools:** Search for the known malicious file hashes or network traffic connecting to the listed C&C domains/IPs. Endpoint Detection and Response (EDR) systems should be configured to monitor for anomalous library loading following the opening of WPS Office documents.
## References
- ESET Research Blog Post (Primary Source, date of publication undisclosed but follows CVE assignments in Aug 2024)
- DBAPPSecurity Analysis: mp://weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew (Defanged: mp://weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew)
- ThreatBook Analysis: hxxps://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- IoC Repository: hxxps://github.com/eset/malware-ioc/tree/master/apt_c_60