QakBot attacks with CVE-2024-30051 Windows Zero-Day

In early April 2024, we decided to take a closer look at the Windows DWM Core Library Elevation of Privilege vulnerability CVE-2023-36033, previously discovered in the wild as a zero-day exploit. While searching for examples related to this exploit and attacks that used it, we found a strange document uploaded to VirusTotal on April 1, 2024. This document caught our attention because it had a rather descriptive file name that indicated that it contained information about a security vulnerability in the Windows operating system. Inside we found a brief description of a vulnerability in the Windows Desktop Window Manager (DWM) and how it could be exploited to gain system privileges, all written in very broken English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033, but the vulnerability was different. Judging by the quality of the writing and the fact that the document was missing some important details about how the vulnerability could actually be triggered, there was a high probability that the vulnerability described was completely fabricated or existed in inaccessible code could be controlled by attackers. But we decided to investigate anyway, and a quick review revealed that it is a real zero-day vulnerability that can be used for privilege escalation. We immediately reported our findings to Microsoft, the vulnerability was designated CVE-2024-30051, and a patch was released on May 14, 2024 as part of Patch Tuesday.

After submitting our findings to Microsoft, we began closely monitoring our statistics looking for exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability. We have seen it used alongside QakBot and other malware and believe multiple threat actors have access to it.

We will release technical details about CVE-2024-30051 once users have had time to update their Windows systems.

Kaspersky products detect exploitation of CVE-2024-30051 and related malware with the following verdicts:

PDM:Exploit.Win32.Generic;
PDM:Trojan.Win32.Generic;
UDS:DangerousObject.Multi.Generic;
Trojan.Win32.Agent.gen;
Trojan.Win32.CobaltStrike.gen.

Kaspersky would like to thank Microsoft for quickly analyzing the report and patches.

Related Posts

Alabama deputies are appealing for witness assistance after a shooting at a May Day party left three people dead and 18 injured

Yang sexual assault case moves forward | Crimes and Courts

Healthcare system to protest for an hour over police violence