Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems.
Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the DWM (Desktop Window Manager) core library. Following successful exploitation, attackers can gain SYSTEM privileges.
Desktop Window Manager is a Windows service introduced in Windows Vista that allows the OS to use hardware acceleration when rendering graphical user interface elements such as glass window frames and 3D transition animations.
Kaspersky security researchers discovered the vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033 and also exploited as a zero-day in attacks.
While combing through data related to recent exploits and associated attacks, they stumbled upon an intriguing file uploaded to VirusTotal on April 1, 2024. The file's names hinted that it contained details on a Windows vulnerability.
As they discovered, the file provided information (in broken English) regarding a Windows Desktop Window Manager (DWM) vulnerability that could be exploited to escalate privileges to SYSTEM, with the outlined exploitation processing perfectly mirroring the one used in CVE-2023-36033 attacks, even though it described a distinct vulnerability.
Despite the document's subpar quality and some omissions on how the vulnerability could be exploited, Kaspersky confirmed the existence of a new zero-day privilege escalation vulnerability in the Windows DWM Core Library. Microsoft assigned the CVE-2024-30051 CVE ID and patched the vulnerability during this month's Patch Tuesday.
"After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability," Kaspersky said.
"We have seen it used together with QakBot and other malware, and believe that multiple threat actors have access to it."
Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks.
QakBot (also tracked as Qbot) started as a banking trojan in 2008 and was used to steal banking credentials, website cookies, and credit cards to commit financial fraud. Over time, QakBot evolved into a malware delivery service, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, or data theft.
While its infrastructure was dismantled in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as Operation 'Duck Hunt,' the malware resurfaced in phishing campaigns targeting the hospitality industry in December.
Law enforcement linked QakBot to at least 40 ransomware attacks targeting companies, healthcare providers, and government agencies worldwide, which, according to conservative estimates, caused hundreds of millions of dollars in damage.
Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta.