Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,260
An unknown Chinese-speaking threat actor has been targeting betting companies in Taiwan, Hong Kong, and the Philippines, leveraging a vulnerability in WPS Office to plant a backdoor on the targeted systems.
The adversary appears to be sophisticated, and its toolset features code similarities to APT group backdoors analyzed in two 2015 and 2017 reports by Palo Alto and BlackBerry, respectively.
The newest campaign was spotted by researchers at Avast, who have sampled several malware tools from the threat actors, who have compiled a rich, modular toolset.
The first infection vector used in this campaign is an email with a laced installer that pretends to be a critical WPS Office update, but in most attacks, the threat actors use a different method.
The second infection vector, which is predominately used in this campaign, is leveraging CVE-2022-24934, a vulnerability in the WPS Office updater utility.
WPS Office (formerly Kingsoft Office) is a cross-platform office suite with over 1.2 billion installations. Its use is prevalent in Hong Kong and China because it is historically the first word processor to support the Chinese language.
Exploit of CVE-2022-24934 leads to establishing a communication channel with the C2, fetching additional payloads, and running code on the compromised machine.
“To exploit the vulnerability, a registry key under HKEY_CURRENT_USER needs to be modified, and by doing this an attacker gains persistence on the system and control over the update process,” explains Avast in its technical report.
Avast informed the software vendor about the vulnerability, which enables the actors to execute code arbitrarily, and although a patch has been issued, not everyone has applied the security update yet.