Microsoft patched a zero-day vulnerability exploited by attackers to distribute QakBot and other malware payloads on susceptible Windows systems. Identified as CVE-2024-30051, this vulnerability is a privilege escalation flaw resulting from a heap-based buffer overflow in the Desktop Window Manager (DWM) core library. Successful exploitation grants attackers “SYSTEM privileges,” Microsoft said.

“These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware (actors),” said Dustin Childs of the Zero Day Initiative.

Introduced in Windows Vista, the Desktop Window Manager (dwm.exe) is a compositing window manager that renders all GUI effects in Windows like transparent windows, live taskbar thumbnails, Flip3D, and even high-resolution monitor support. Applications do not draw directly on the screen. Instead, they write their window images to a specific spot in memory. Windows then combines and creates a “composite” of all these windows into one view before sending it to the monitor. This allows Windows to add effects like transparency and animations while displaying the windows. Kaspersky researchers uncovered this vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033, also exploited as a zero-day in attacks. While analyzing data related to recent exploits and associated attacks, Kaspersky researchers discovered an intriguing file uploaded to VirusTotal on April 1. The file's name hinted that it contained details on a Windows vulnerability. The file had information regarding a Windows DWM vulnerability – written in broken English - that could be exploited to escalate privileges to SYSTEM level, with the exploitation process nearly mirroring the one used in CVE-2023-36033 attacks, “but the vulnerability was different,” researchers said. Initially skeptical due to the document's quality and lack of crucial details on exploiting the vulnerability, further investigation confirmed the legitimacy of another zero-day vulnerability capable of privilege escalation. Kaspersky promptly reported it to Microsoft, leading to its designation as CVE-2024-30051 and subsequent patching in this month’s Patch Tuesday.

Zero-Day Exploited by QakBot

Following the reporting to Microsoft, Kaspersky continued monitoring for exploits and attacks leveraging this flaw.

“In mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used together with QakBot and other malware and believe that multiple threat actors have access to it,” Kaspersky said.

Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google-owned Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks, Childs said.

“Don’t wait to test and deploy this update as exploits are likely to increase now that a patch is available to reverse engineer,” said Childs.

The U.S. Cybersecurity and Infrastructure Security Agency also added CVE-2024-30051 to its Known Exploited Vulnerabilities catalog and directed all federal agencies to complete the patching process by June 4. Kaspersky plans to disclose technical specifics of CVE-2024-30051 once users have had adequate time to update their Windows systems.

QakBot’s Journey from Banking Trojan to Initial Access Broker

QakBot, also known as Qbot, emerged as a banking trojan in 2008 and was used to steal credentials, website cookies, and credit cards to commit financial fraud. QakBot operators evolved over the years into initial access brokers, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, and data theft. QakBot’s infrastructure was taken down in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as “Operation Duck Hunt.” But Microsoft identified the resurgence of QakBot in phishing campaigns targeting the hospitality industry in December. Law enforcement linked QakBot infections to 700,000 victim computers which included ransomware attacks targeting businesses, healthcare providers, and government agencies worldwide, which according to conservative estimates caused hundreds of millions of dollars in damage. Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently Black Basta.

Another Zero-Day Fix

Microsoft patched 59 CVEs in its May 2024 Patch Tuesday release, with one rated “critical,” 57 rated as “important” and one rated as “moderate.” The patch also contains a fix for another zero-day flaw other that the one exploited by QakBot. The other bug, tracked as CVE-2024-30040, is rated "important" on the CVSS scale and is a Windows MSHTML platform security feature bypass vulnerability. MSHTML is a proprietary browser engine for the Microsoft Windows version of Internet Explorer.

“This vulnerability bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls,” Microsoft said.

A hacker who socially-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Finland has warned of an ongoing Android malware campaign that targets banking details of its victims by enticing them to download a malicious counterfeit McAfee app. Finland's Transport and Communications Agency – Traficom - issued a warning last week about an ongoing Android malware campaign that aims to withdraw money from the victim's online bank accounts. Traficom said this campaign exclusively targets Android devices, with no separate infection chain identified for Apple iPhone users. The agency has identified multiple cases of SMS messages written in Finnish language, instructing recipients to call a specified number. These messages often impersonate banks or payment service providers like MobilePay and utilize spoofing technology to appear as if they originate from domestic telecom operators or local networks. [caption id="attachment_66875" align="aligncenter" width="1024"] Finnish language smishing message (Credit: Traficom)[/caption] The scammers answering these calls direct victims to install a McAfee app under the guise of providing protection. However, the McAfee app being promoted is, in fact, malware designed to compromise victims' bank accounts. According to reports received by the Cyber Security Center, targets are prompted to download a McAfee application via a link provided in the message. This link leads to the download of an .apk application hosted outside the app store for Android devices. Contrary to expectations, this is not antivirus software but malware intended for installation on the phone. The OP Financial Group, a prominent financial service provider in Finland, also issued an alert on its website regarding these deceptive messages impersonating banks or national authorities. The police have similarly emphasized the threat posed by this malware, warning that it enables operators to access victims' banking accounts and initiate unauthorized money transfers. In one reported case, a victim lost 95,000 euros (approximately $102,000) due to the scam.

Vultur Android Malware Campaign Trademarks

While Finnish authorities have not definitively identified the type of malware involved or shared specific hashes or IDs for the APK files, the attacks bear a striking resemblance to those reported by Fox-IT analysts in connection with a new version of the Vultur trojan. [caption id="attachment_66873" align="alignnone" width="1024"] Vultur Trojan infection chain (Credit: Fox-IT)[/caption] The new iteration of the Vultur trojan employs hybrid smishing and phone call attacks to persuade targets into downloading a fake McAfee Security app. This app introduces the final payload in three separate parts for evasion purposes. Notable features of this latest version include extensive file management operations, abuse of Accessibility Services, app blocking, disabling Keyguard, and serving custom notifications in the status bar.

Things to Do If You Suspect Being Victim

If you suspect that your device has been infected with the malware, it is advisable to contact your bank immediately to enable protection measures. Additionally, restoring "factory settings" on the infected Android device to wipe all data and apps is recommended. OP Financial Group emphasizes that they do not request customers to share sensitive data over the phone or install any apps to receive or cancel payments. “We will never send you messages with a link to the online bank login page. The bank also never asks you for your ID or card information via messages. Such messages are scams and you should not click on the links in them,” the OP Financial Group said. “Even in order to receive or cancel a payment, you do not need to log in from a link, confirm with codes or provide your information. If you are asked to do this, contact the bank's customer service.” Any similar requests should also be promptly reported to the police. The news of the online banking fraud comes days after a multi-national police operation crack opened a massive fraudulent call center network run across Europe that targeted especially senior citizens with an intent to dupe them of thousands of dollars. The crack down, dubbed Operation Pandora, was initiated when a vigilant bank teller in Freiburg, Germany, alerted law enforcement of a customer aged 76-years attempting to withdraw a large sum of money. Scammers employed various tactics, posing as relatives, bank employees or police officers, to deceive victims into surrendering their savings. The operation revealed call centers operating in different countries, each specializing in different types of telephone fraud, from investment scams to debt collection demands. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CRIL Researchers observed a new android banking trojan 'Brokewell,' being distributed through a phishing site disguised as the official Chrome update page. The malicious Android Banking Trojan comes equipped with various functionalities such as screen recording, keylogging and over 50 different remote commands. Upon further investigation, researchers were able to trace the trojan back to its developer, who described the trojan as capable of bypassing permission restrictions on the latest versions of the Android operating system.

Developer Behind Android Banking Trojan Found Distributing Other Spyware Tools

CRIL researchers identified the trojan being distributed through the domain “hxxp://makingitorut[.]com” which disguises itself as the official Chrome update website and bears several striking similarities. [caption id="attachment_65312" align="alignnone" width="1557"] Source: Cyble[/caption] The site deceives the user into thinking that an update is required, describing it as being necessary "to secure your browser and fix important vulnerabilities. A download button on the site leads users to download the malicious APK file “Chrome.apk” on to their systems. Upon examination, the downloaded APK file was discovered to be a new android banking trojan, incorporated with over 50 different remote commands such as collecting telephony data, collecting call history, waking the device screen, location gathering, call management, screen and audio recording. The trojan communicated through a remote command and control (C&C) server operating through the “mi6[.]operationanonrecoil[.]ru” domain and hosted on the IP address “91.92.247[.]182”. [caption id="attachment_65315" align="alignnone" width="1354"] Source: Cyble[/caption] The malware was further linked to a git repository, where it was described as being capable of circumventing permission-based restrictions on Android versions 13, 14, and 15. The git repository contained links to profiles on underground forums, a Tor page, and a Telegram channel. The Tor page directed to the malware developers’s personal page, where they took steps to introduce themselves and linked to a site listing various other projects they had developed such as checkers, validators, stealers, and ransomware. Since CRIL researchers did not observe any mentions of the android banking trojan on the site, it is assumed that the trojan is a very recent development which might be listed within the upcoming days.

Technical Capabilities of Android Banking Trojan "Brokewell"

[caption id="attachment_65324" align="alignnone" width="1501"] Source: Shutterstock[/caption] Researchers note that the Brokewll Banking Trojan is likely in its initial stages of development and thus possesses limited functionalities for the time period. The current attack techniques primarily involves the screen overlay attack, screen/audio capturing or keylogging techniques. However, researchers warn that future versions of the android banking trojan may incorporate additional features. The malware is observed conducting a pre-emptive check to determine whether the host system has been rooted. This stage involves checking for package names of a root check application, network traffic analysis tool and an .apk parsing tool. Once the device is detected to not be rooted, it proceeds with normal execution, first prompting the victim for accessibility permissions. The accessibility service is then abused to grant the application other permissions such as “Display over other apps” “Installation from unknown sources”. [caption id="attachment_65319" align="alignnone" width="385"] Source: Cyble[/caption] After obtaining permissions, the application prompts the user to enter the device pin through a fake PIN screen with German localization. The PIN is then stored to a text file for subsequent usage. The German localization along with several samples of the malware being uploaded to VirusTotal from the German region lead researchers to believe that it is primarily targeting Germany. In addition to German, several strings in Chinese, French, Finnish, Arabic, Indonesian, Swedish, Portuguese, and English were also spotted. These strings suggest that the malware could expand its targets with the emergence of subsequent iterations incorporating additional features. Researchers anticipate increased promotion of the tool on underground forums and through the malware developer’s product portal, underscoring the progressive stage of banking trojans and the need for continuous monitoring over such developments. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cybercriminals are targeting Mac users interested in cryptocurrency opportunities with fake calendar invites. During the attacks the criminals will send a link supposedly to add a meeting to the target’s calendar. In reality the link runs a script to install Mac malware on the target’s machine.

Cybersecurity expert Brian Krebs investigated and flagged the issue.

Scammers, impersonating cryptocurrency investors, are active on Telegram channels to get interested people to attend a meeting about a future partnership.

One of those investors called Signum Capital tweeted a warning on X in January that one of their team members was being impersonated on Telegram and sending out invites by direct message (DM).

Heads up! A fake account pretending to be one of our team members is going around DM-ing people on Telegram.

The screenshots below is from the scammer please take note and be alert. pic.twitter.com/6hFcUsaGtZ

— Signum Capital (@Signum_Capital) January 22, 2024

The criminals reach out to targets by DM on Telegram and ask if they have an interest in hearing more about the opportunity in a call or meeting. If they show interest they will be sent a fabricated invitation for a meeting. When the times comes to join the meeting the invitation link doesn’t work. The scammers tell the victim it’s a known issue, caused by a regional access restriction, which can be solved by running a script.

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed to look at this method. This isn’t the first time criminals have used scripts to compromise users, he told us.

“AppleScript has been used against Mac users with moderate frequency by malware creators over the years. It has the advantage of being very easy to write, and if compiled, is also extremely difficult to reverse engineer.”

According to Reed, AppleScripts can be provided in a few different forms. One is a simple .scpt file that opens in Apple’s Script Editor app. This has a few drawbacks for criminals: A victim would need to click something within Script Editor to run the script, and they would able to see the code, which might be a problem because AppleScript tends to be more human readable than most other scripts. However, there are ways to obfuscate what the code is doing, and many users won’t bother to read it anyway.

Another option is an AppleScript applet. This is something that acts like a normal Mac app. It contains a basic AppleScript executable and the script to be run. In this form, the script can be code signed, notarized, given an icon, and otherwise made to appear more trustworthy. The code could be pretty bland, and unlikely to trigger any kind of detection from Apple’s notarization process, but could download and execute something less trustworthy.

Scripts have another advantage for criminals, Reed warned.

“AppleScripts also have the advantage of being able to very easily get administrator permissions.”

A script that attempts to run a command with administrator privileges will ask users to authenticate, triggering a password dialog.

If the user enters their password, the script doesn’t actually get to see it, but everything else the script attempts to do “with administrator privileges” will successfully run as root without further authentication. This makes it very easy for the script to show a standard authentication request dialog and trick the user into giving root permissions.

“So, in summary, AppleScript can be quite effective for writing malware. In fact, some malware has been written exclusively – or almost exclusively – in AppleScript, such as OSX.DubRobber or OSX.OSAMiner.”

In this case, the script was a simple Apple Script that downloaded and executed a macOS-oriented Trojan. The nature of the Trojan is unknown, but it certainly won’t surprise anyone if it turns out it was a banking Trojan that specializes in stealing cryptocurrencies.

Recognizing the scam

To avoid falling victim to these scammers, it’s good to know a few of their tactics.

• Targets are approached by DM on Telegram.
• Topics are cryptocurrency investment opportunities.
• The scammers have a preference for the Calendly scheduling platform.
• A fake “regional access restriction” creates a sense of last minute urgency.
• The script had the .scpt (Apple script) extension.
• The script was hosted on a domain that pretended to be a meeting support site.

The presence of Mac malware is unfortunately still underestimated, but you can find protection by Malwarebytes for Mac and protect Mac endpoints in your environment by ThreatDown solutions.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals.

These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.

While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.

What are Android banking trojans?

The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.  

By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.

Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play.

These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure.

Still, the tricks behind “RecoverFiles” aren’t yet over.

Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a hidden wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity.

But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage.

Slipping under the radar

The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts.

The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become the go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed.

So, what’s a cybercriminal to do?

In these instances, cybercriminals make an application that is seemingly benign, but, once installed on a device, executes a line of code that actually downloads malware from somewhere else on the internet. This is how cybercriminals recently snuck their malware onto Google Play and potentially infected more than 100,000 users with the Anatsa banking trojan.

What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware.

These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.  

What does it all mean for me?

There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money.

All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money.

As we wrote in the 2024 ThreatDown State of Malware report:

“Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.”

Staying safe from Android banking trojans

Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop.

Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.