Chinese hackers have recently targeted betting companies from the Philippines, Taiwan, and Hong Kong by exploiting a WPS Office flaw to inject the targeted systems with malware.
The WPS Office is a cross-platform office suite established by a Chinese developer. It is also the first-word processor that supports the Chinese language, hence its popularity in China and Hong Kong.
Security analysts have tested samples of malware tools from the Chinese threat actors to inspect their infection vectors and processes.
Based on the analysis, the hackers used an email phishing strategy as their first infection vector, with an attached installer pretending to be a WPS Office update. However, the threat actors leveraged another infection vector more in the campaign, involving a WPS Office flaw in its updated utility, CVE-2022-24934.
The CVE-2022-24934 exploitation allows the threat actors to communicate with a C2 server that collects more payloads and runs code on the infected machines. The hackers would need to modify a registry key under HKEY_CURRENT_USER to exploit the flaw successfully and gain persistence and control over the victims’ systems.
Upon informing the software firm, they immediately released a patch for the WPS Office flaw. However, not all users could apply the patch as soon as it was issued.
Those systems that have been compromised are first planted with a DLL backdoor utilized for the C2 server communication and a dropper that enable hackers to have system privileges.
Afterward, a core module called ‘Proto8’ is planted to the compromised systems, which a four-step cascading structure will follow, including the initial checking and establishing of evasion mechanisms; self-updating modules, working directory set up and loading of configuration files; sensitive data collection; and hardcoded C2 addresses validation.
The core module will then wait for the remote commands upon completing the above steps. There are plenty of ways where the remote commands can transpire, including sending the collected data to the C2 server, enumerating root disks, deleting files, and more.
The core module ‘Proto8’ has a plugin loading system feature that offers several functions with each add-on, linked to persistence, security evasion, bypassing UAC, and more.
As of now, the hackers’ identity has not yet been identified. Still, experts claim that a Chinese APT group is behind it to steal money or gather sensitive information.
