Operation Dragon Castling: Suspected APT Group Hijacks WPS Office Updater to Target East Asian Betting companies
Operation Dragon Castling is a suspected APT supply chain attack against East Asian betting companies that exploited a previously unknown vulnerability in WPS Office’ updater to deliver malware to target Microsoft Windows systems. In this presentation, we will discuss how we saw strange DNS resolution requests for a domain related to WPS Office, but that was not part of WPS Office’s infrastructure. Our investigation into these resolution requests showed they were being made from devices running WPS Office, devices belonging to East Asian betting companies. Seeing this, we suspected we had found a supply chain attack against WPS Office, though we were unable to identify the infection vectors at first. We investigated further and found that one of the systems issuing the unusual DNS resolution requests contained several malicious DLLs loaded by side-loading. One of these DLLs was a robust and modular core module written in C++. Aside from being used for privilege escalation and persistence, it also provided backdoor access to infected devices. After more investigating, we found two infection vectors. In the first case, the attacker sent an email with an infected installer to the support team asking them to check for a bug in their software. The second case was more interesting – we presume that the attacker hijacked the WPS updater by exploiting a previously unknown vulnerability. We discovered a new vulnerability (CVE-2022-24934) in the WPS Office updater, wpsupdate.exe. The WPS updater is a part of the WPS Office installation, which has more than 1.2 billion installations around the world. This attack showed a vulnerability that put those users at risk. We have contacted the WPS Office team about the vulnerability (CVE-2022-24934), and it has since been fixed.
Luigino Camastra is a malware researcher at Avast focused on reverse-engineering PE files, identifying malware families, and hunting advanced persistent threat groups. He holds a master degree in Computer Science from Czech Technical University in Prague. Luigino has presented his research at Virus Bulletin conferences, Avar, Botconf, MNSEC2020, and APWG. In his free time he enjoys playing futsal and CTF.
Igor Morgenstern is a senior malware researcher and reverse engineer at Avast focusing on hunting advanced persistent threat groups. Igor has presented at conferences, including MNSEC2020. Previous experience includes: vulnerability research of a variety of databases resulting in discovery of multiple zero-day vulnerabilities, computer forensics