QakBot Malware Attacks Exploiting Windows Zero-Day Vulnerability Addressed by Microsoft
May 14, 2024
Microsoft has addressed a zero-day vulnerability, designated as CVE-2024-30051, that was being exploited to deliver QakBot and other malware on vulnerable Windows systems. This privilege escalation bug, caused by a heap-based buffer overflow in the Desktop Window Manager (DWM) core library, allows attackers to gain SYSTEM privileges. The DWM is a Windows service that enables the OS to use hardware acceleration when rendering GUI elements.
The vulnerability was discovered by Kaspersky researchers during an investigation into another Windows DWM Core Library privilege escalation bug, CVE-2023-36033, which was also exploited as a zero-day. The researchers found an interesting file uploaded to VirusTotal that hinted at a Windows vulnerability. The document provided information on a DWM vulnerability that could be exploited to escalate privileges to SYSTEM. Despite some omissions in the document, Kaspersky confirmed the existence of a new zero-day privilege escalation vulnerability in the Windows DWM Core Library.
Microsoft assigned the CVE-2024-30051 ID to the vulnerability and patched it during this month's Patch Tuesday. Kaspersky said, "After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it."
Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google Mandiant also reported the zero-day to Microsoft, indicating its likely widespread exploitation in malware attacks. QakBot, initially a banking trojan in 2008, evolved into a malware delivery service, providing initial access to enterprise and home networks for ransomware attacks, espionage, or data theft. After its infrastructure was dismantled in 2023, the malware reappeared in phishing campaigns targeting the hospitality industry. QakBot has been linked to at least 40 ransomware attacks causing hundreds of millions of dollars in damage and has served as an initial infection vector for various ransomware groups including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and Black Basta.
Related News
Latest News
- Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
- VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024
- Google Chrome Rolls Out Emergency Patch for 6th Zero-Day Exploit of 2024
- Apple Backports Security Patches to Older iPhones and iPads Amid Active Exploitation of Zero-Day
- Citrix Urges Admins to Manually Address PuTTY SSH Client Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.