Tuesday, October 15, 2024
HomeCVE/vulnerabilityQakBot Malware Exploiting Windows zero-Day To Gain System Privileges

QakBot Malware Exploiting Windows zero-Day To Gain System Privileges

Published on

Malware protection

In April 2024, security researchers revisited CVE-2023-36033, a Windows DWM Core Library elevation of privilege vulnerability that was previously discovered and exploited in the wild.

As part of their investigation into exploit samples and potential attack vectors, they stumbled upon a curious document uploaded to VirusTotal on April 1st. 

The document’s presence on a malware repository dedicated to sharing suspicious files raised a red flag, prompting further analysis.

- Advertisement - SIEM as a Service

The researchers suspected that this document might be either a malicious payload designed to exploit CVE-2023-36033 or a component used in a larger malware campaign leveraging this vulnerability.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

They examined a document with a filename indicative of a potential Windows vulnerability, which contained a poorly written description of a Desktop Window Manager (DWM) exploit that could be leveraged to escalate privileges on a system. 

While the exploit technique resembled the one used in CVE-2023-36033, the document appeared to describe a different vulnerability altogether, which suggests that the document might outline a novel DWM exploit with a distinct attack vector, separate from the previously discovered CVE.

Despite the suspicious nature of the vulnerability description, which lacked details for exploitation and potentially described a non-existent or inaccessible issue, researchers opted to investigate further. 

This due diligence paid off, as the investigation uncovered a legitimate zero-day privilege escalation vulnerability within the Windows DWM Core Library.

The researchers promptly reported the issue to Microsoft, which designated it CVE-2024-30051, and subsequently patched it on May 14, 2024, during Patch Tuesday.

Researchers discovered a zero-day elevation of privilege vulnerability (CVE-2024-30051) in the Windows DWM Core Library and reported it to Microsoft. 

They subsequently identified exploits leveraging this vulnerability used in conjunction with malware like QakBot, indicating widespread access among threat actors.

To allow for system patching, technical details regarding the exploit and vulnerability will be published after a grace period. 

According to SecureList, Kaspersky identified and reported a zero-day privilege escalation vulnerability (CVE-2024-30051) in the Windows DWM Core Library. 

They detected exploitation attempts using this vulnerability to deliver various malware strains, including generic exploits, trojans (Agent and Cobalt Strike variants), and potentially other malicious objects.

Kaspersky acknowledges Microsoft’s swift action in analyzing the report and issuing security patches.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Allegedly Selling Data Stolen from Cisco

A group of hackers reportedly sells sensitive data stolen from Cisco Systems, Inc.The...

Fortigate SSLVPN Vulnerability Exploited in the Wild

A critical vulnerability in Fortinet's FortiGate SSLVPN appliances, CVE-2024-23113, has been actively exploited in...

Splunk Enterprise Vulnerabilities let Attackers Execute Remote Code

Splunk has disclosed multiple vulnerabilities affecting its Enterprise product, which could allow attackers to...