QakBot Threat: Windows Zero-Day (CVE-2024-30051) Demands Immediate Patch

Microsoft has patched a zero-day vulnerability that was actively exploited to propagate the QakBot botnet on Windows systems. The heap-based buffer overflow vulnerability, CVE-2024-30051 (CVSS score 7.8), affects the Desktop Window Manager (DWM) library. This privilege escalation flaw allows attackers to gain system-level privileges on targeted systems. Microsoft assigned the CVE identifier and addressed it as part of Patch Tuesday.

Desktop Window Manager is a Windows service, first introduced in Windows Vista, that enables the operating system to use hardware acceleration when rendering graphical interface elements, such as glass window frames and 3D transition animations.

BlackCat Leaders

The vulnerability was discovered by Kaspersky Lab experts while investigating another privilege escalation flaw in the DWM library (CVE-2023-36033, CVSS score 7.8). Analyzing data on recent exploits and associated attacks, researchers came across an intriguing file uploaded to VirusTotal on April 1, 2024.

The file contained information about a vulnerability in DWM that could be used to escalate privileges to the SYSTEM level. The exploitation process described in the file perfectly matched attacks using CVE-2023-36033, although it outlined an entirely new vulnerability.

Kaspersky Lab noted that the exploit for this vulnerability was used in conjunction with QakBot and other malware. It is believed that multiple groups have access to the exploit. Security researchers from Google’s Threat Analysis Group, DBAPPSecurity WeBin Lab, and Mandiant also reported the vulnerability to Microsoft, indicating its likely widespread use in malware attacks.