May 14, 2024 at 02:23PM
Microsoft has addressed a zero-day vulnerability, CVE-2024-30051, which allowed for privilege escalation through a heap-based buffer overflow in the Desktop Window Manager (DWM) core library on vulnerable Windows systems, facilitating delivery of QakBot and other malware. Kaspersky and other security researchers confirmed the exploitation and reported it to Microsoft. QakBot has a history as a banking trojan and malware delivery service, facilitating ransomware attacks.
From the meeting notes, it is clear that a zero-day vulnerability in the Windows Desktop Window Manager (DWM) Core Library, tracked as CVE-2024-30051, has been identified and fixed by Microsoft during this month’s Patch Tuesday. The vulnerability, caused by a heap-based buffer overflow, allows attackers to gain SYSTEM privileges. Kaspersky and other security researchers confirmed the exploitation of this zero-day in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems. The exploitation process mirrored another previously discovered vulnerability, indicating a new distinct zero-day vulnerability. It is also noted that QakBot, originally a banking trojan, has evolved into a malware delivery service facilitating ransomware attacks, espionage, and data theft. Despite dismantling its infrastructure in 2023, QakBot resurfaced in phishing campaigns and has been linked to numerous ransomware attacks causing significant financial damage.
In summary, the meeting notes provide crucial details about the zero-day vulnerability, its exploitation in delivering malware such as QakBot, and the evolving nature of QakBot as a malware delivery service. The information also sheds light on the impact of QakBot in facilitating ransomware attacks and its association with various ransomware gangs.