Microsoft patched a zero-day vulnerability exploited by attackers to distribute QakBot and other malware payloads on susceptible Windows systems. Identified as CVE-2024-30051, this vulnerability is a privilege escalation flaw resulting from a heap-based buffer overflow in the Desktop Window Manager (DWM) core library. Successful exploitation grants attackers “SYSTEM privileges,” Microsoft said.

“These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware (actors),” said Dustin Childs of the Zero Day Initiative.

Introduced in Windows Vista, the Desktop Window Manager (dwm.exe) is a compositing window manager that renders all GUI effects in Windows like transparent windows, live taskbar thumbnails, Flip3D, and even high-resolution monitor support. Applications do not draw directly on the screen. Instead, they write their window images to a specific spot in memory. Windows then combines and creates a “composite” of all these windows into one view before sending it to the monitor. This allows Windows to add effects like transparency and animations while displaying the windows. Kaspersky researchers uncovered this vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033, also exploited as a zero-day in attacks. While analyzing data related to recent exploits and associated attacks, Kaspersky researchers discovered an intriguing file uploaded to VirusTotal on April 1. The file's name hinted that it contained details on a Windows vulnerability. The file had information regarding a Windows DWM vulnerability – written in broken English - that could be exploited to escalate privileges to SYSTEM level, with the exploitation process nearly mirroring the one used in CVE-2023-36033 attacks, “but the vulnerability was different,” researchers said. Initially skeptical due to the document's quality and lack of crucial details on exploiting the vulnerability, further investigation confirmed the legitimacy of another zero-day vulnerability capable of privilege escalation. Kaspersky promptly reported it to Microsoft, leading to its designation as CVE-2024-30051 and subsequent patching in this month’s Patch Tuesday.

Zero-Day Exploited by QakBot

Following the reporting to Microsoft, Kaspersky continued monitoring for exploits and attacks leveraging this flaw.

“In mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware and believe that multiple threat actors have access to it,” Kaspersky said.

Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google-owned Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks, Childs said.

“Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer,” said Childs.

The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2024-30051 to its Known Exploited Vulnerabilities catalog and directed all federal agencies to complete the patching process by June 4. Kaspersky plans to disclose technical specifics of CVE-2024-30051 once users have had adequate time to update their Windows systems.

QakBot’s Journey from Banking Trojan to Initial Access Broker

QakBot, also known as Qbot, emerged as a banking trojan in 2008 and was used to steal credentials, website cookies, and credit cards to commit financial fraud. QakBot operators evolved over the years into initial access brokers, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, and data theft. QakBot’s infrastructure was taken down in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as “Operation Duck Hunt.” But Microsoft identified the resurgence of QakBot in phishing campaigns targeting the hospitality industry in December. Law enforcement linked QakBot infections to 700,000 victim computers which included ransomware attacks targeting businesses, healthcare providers, and government agencies worldwide, which according to conservative estimates caused hundreds of millions of dollars in damage. Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently Black Basta.

Another Zero-Day Fix

Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, with one rated “critical,” 57 rated as “important” and one rated as “moderate.” The patch also contains a fix for another zero-day flaw other that the one exploited by QakBot. The other bug, tracked as CVE-2024-30040, is rated "important" on the CVSS scale and is a Windows MSHTML platform security feature bypass vulnerability. MSHTML is a proprietary browser engine for the Microsoft Windows version of Internet Explorer.

“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said.

A hacker who socially-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.