QakBot Malware Attacks Exploiting Windows Zero-Day Vulnerability Addressed by Microsoft

May 14, 2024

Microsoft has addressed a zero-day vulnerability, designated as CVE-2024-30051, that was being exploited to deliver QakBot and other malware on vulnerable Windows systems. This privilege escalation bug, caused by a heap-based buffer overflow in the Desktop Window Manager (DWM) core library, allows attackers to gain SYSTEM privileges. The DWM is a Windows service that enables the OS to use hardware acceleration when rendering GUI elements.

The vulnerability was discovered by Kaspersky researchers during an investigation into another Windows DWM Core Library privilege escalation bug, CVE-2023-36033, which was also exploited as a zero-day. The researchers found an interesting file uploaded to VirusTotal that hinted at a Windows vulnerability. The document provided information on a DWM vulnerability that could be exploited to escalate privileges to SYSTEM. Despite some omissions in the document, Kaspersky confirmed the existence of a new zero-day privilege escalation vulnerability in the Windows DWM Core Library.

Microsoft assigned the CVE-2024-30051 ID to the vulnerability and patched it during this month's Patch Tuesday. Kaspersky said, "After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it."

Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google Mandiant also reported the zero-day to Microsoft, indicating its likely widespread exploitation in malware attacks. QakBot, initially a banking trojan in 2008, evolved into a malware delivery service, providing initial access to enterprise and home networks for ransomware attacks, espionage, or data theft. After its infrastructure was dismantled in 2023, the malware reappeared in phishing campaigns targeting the hospitality industry. QakBot has been linked to at least 40 ransomware attacks causing hundreds of millions of dollars in damage and has served as an initial infection vector for various ransomware groups including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and Black Basta.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.