WPS Office acting as drive-by malware
Posted by Intelligent_Stay_628@reddit | sysadmin | View on Reddit | 8 comments
We've had a couple of users at my MSP report that, after they downloaded files created in WPS Office or visited its website, the WPS Office suite installed itself on their machine and set itself as default - without admin passwords/elevation, or even the user noticing at all until they tried to open another file of the same type. So far, the only Microsoft response I can see involves them just telling users to change the default app back again.
Has anyone else seen this, and if so, is there anything available to block it?
realxeltos@reddit
Sadly the state of office suits is terrible.
MS Office : Not available for linux. But is stable and has many features not available in other suits. Like Powerpoint has so many transitions and animations.
Libreoffice: So many issues on linux and in the suit itself. Like when copy-pasting text from outside of the program will keep the source formatting not auto adjust to the destination formatting. It cant open Gnome linked google drive files giving error that other program is using the file. Only allowing me to open either read only or as a copy. Also has extension support but wish they can add effects/transitions to presentation files.
WPS office: Stable and very good office suit but super sketchy untrustworthy company. No extension support
Other options:
CyrFR@reddit
Lot of low budget smartphone have WPS pre-installed. User can use it to scan document. There is a function to send it.
But it don't send the document. A customized link to WPS website is sent. When our users click on it on Windows, they think it download the document but it's an exe to install WPS
WPS is installed in appdata and don't request admin
But when you try to uninstall, it request elevation so you can't uninstall.
It's a Chinese ?/russian ? /Singapore ? company we don't know. We decide to ban this app
RMS-Tom@reddit
Ahh, right so it's a typical "it installed itself" but really the user installed it, situation
smargh@reddit
WPS Office has a very effective installer. It's basically designed fully complete within environments where DNS is entirely non-functional or blocked, intentional or otherwise.
The installer has fallback IPs to use, and my memory is hazy but I think it tries to use its own DoH, similar to how the Telegram installer works.
So I'm not surprised that it doesn't prompt for elevation.
The solution is an app control mechanism: applocker, airlock digital etc.
RMS-Tom@reddit
I have also seen this a few times. Not tracked it down, but one would assume it's a semi malicious macro in certain documents, though we generally block .docm in emails, so odd.
For blocking it massively depends on your set up and what tools you employ to manage software
Chronoltith@reddit
Sounds like the application is installing under the user's AppData structure which may not need local admin rights.
dean771@reddit
WPS installs as a user, it can be blocked the same ways as all such apps
tankerkiller125real@reddit
Just visiting the WPS website is not going to cause it to install itself. Nor is simply opening a file created in WPS unless maybe it's adding a Macro/VB Script. If it is adding a Macro/VB Script somewhere in the document then the solution is very simple, block Macros and VB Script for files downloaded/not created by the user.