QakBot Malware Exploiting Windows Zero-Day To Gain System Privileges

Hackers exploit the Windows zero-day vulnerabilities, as they offer great advantages.

This means that no patches or defenses exist for zero-day vulnerabilities as software vendors are unaware of them, consequently, hackers have a certain period to start their attacks before the vulnerability is found and stopped.

Exploiting these flaws allows hackers to access many users, get important data, or take over systems.

Cybersecurity researchers at Kaspersky recently identified that the QakBot malware has been actively exploiting the Windows zero-day to gain system privileges.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

QakBot Malware Exploiting Windows Zero-Day

In early April 2024, while investigating the previously disclosed Windows DWM Core Library EoP vulnerability CVE-2023-36033, researchers at Kaspersky discovered a VirusTotal document from April 1st describing a new, unpatched Windows Desktop Window Manager (DWM) vulnerability that could also lead to system privilege escalation. 

Despite poor writing quality and missing exploitation details, analysis confirmed this was a new “zero-day.” 

Kaspersky reported their findings to Microsoft, leading to the designation “CVE-2024-30051” and a patch released on May 14, 2024, as part of that month’s Patch Tuesday updates.

After reporting the Windows DWM zero-day CVE-2024-30051 to Microsoft, Kaspersky closely monitored for related exploits. 

In mid-April, an exploit was discovered that was being used to deliver QakBot and other malware, indicating multiple threat actors had access to this vulnerability. 

Kaspersky plans to publish technical details once users have time to patch and currently detect exploitation attempts and associated malware with the following rulings:-

• PDM:Exploit.Win32.Generic
• PDM:Trojan.Win32.Generic
• UDS:DangerousObject.Multi.Generic
• Trojan.Win32.Agent.gen
• Trojan.Win32.CobaltStrike.gen

Protecting users and systems necessitates responsible disclosure of zero-day vulnerabilities and patching.

However, the rapid exploitation of this zero-day by multiple threat actors distributing malware like QakBot also highlights why users and organizations must remain vigilant and apply security updates promptly.

To mitigate zero days until patches can be installed, security researchers must employ ongoing monitoring and behavior-based detection capabilities.

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free