QakBot Malware Exploiting Windows zero-Day To Gain System Privileges

In April 2024, security researchers revisited CVE-2023-36033, a Windows DWM Core Library elevation of privilege vulnerability that was previously discovered and exploited in the wild.

As part of their investigation into exploit samples and potential attack vectors, they stumbled upon a curious document uploaded to VirusTotal on April 1st. 

The document’s presence on a malware repository dedicated to sharing suspicious files raised a red flag, prompting further analysis.

The researchers suspected that this document might be either a malicious payload designed to exploit CVE-2023-36033 or a component used in a larger malware campaign leveraging this vulnerability.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

They examined a document with a filename indicative of a potential Windows vulnerability, which contained a poorly written description of a Desktop Window Manager (DWM) exploit that could be leveraged to escalate privileges on a system. 

While the exploit technique resembled the one used in CVE-2023-36033, the document appeared to describe a different vulnerability altogether, which suggests that the document might outline a novel DWM exploit with a distinct attack vector, separate from the previously discovered CVE.

Despite the suspicious nature of the vulnerability description, which lacked details for exploitation and potentially described a non-existent or inaccessible issue, researchers opted to investigate further. 

This due diligence paid off, as the investigation uncovered a legitimate zero-day privilege escalation vulnerability within the Windows DWM Core Library.

The researchers promptly reported the issue to Microsoft, which designated it CVE-2024-30051, and subsequently patched it on May 14, 2024, during Patch Tuesday.

Researchers discovered a zero-day elevation of privilege vulnerability (CVE-2024-30051) in the Windows DWM Core Library and reported it to Microsoft. 

They subsequently identified exploits leveraging this vulnerability used in conjunction with malware like QakBot, indicating widespread access among threat actors.

To allow for system patching, technical details regarding the exploit and vulnerability will be published after a grace period. 

According to SecureList, Kaspersky identified and reported a zero-day privilege escalation vulnerability (CVE-2024-30051) in the Windows DWM Core Library. 

They detected exploitation attempts using this vulnerability to deliver various malware strains, including generic exploits, trojans (Agent and Cobalt Strike variants), and potentially other malicious objects.

Kaspersky acknowledges Microsoft’s swift action in analyzing the report and issuing security patches.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free