Kaspersky discovers attacks that take advantage of new zero-day vulnerability in Windows

Researchers from the cybersecurity company found that this vulnerability had been exploited by the QakBot banking trojan, as well as by other threat agents.

Kaspersky researchers identified a new zero-day vulnerability in Windows, called CVE-2024-30051. The discovery was made as analysts investigated the privilege-raising vulnerability of the Windows DWM central library (CVE-2023-36033) in early April 2024. The patch for this vulnerability is available from May 14, within the “Patch Tuesday” update shared by Microsoft.

On April 1, 2024, a document uploaded to “VirusTotal” caught the attention of Kaspersky researchers. The document, with a descriptive file name, hinted at a possible Windows operating system vulnerability. Despite its flawed English and missing details on how to activate the vulnerability, the document described an exploitation process identical to the zero-day exploit detected in 2023 (CVE-2023-36033), although vulnerabilities differed. Suspecting that the vulnerability was fictitious or not exploitable, the team proceeded with its investigation. A quick check revealed that this was a true zero-day vulnerability capable of increasing the privileges of the attacked system.

Kaspersky researchers Boris Larin and Mert Degirmenci, responsible for this finding, quickly reported their findings to Microsoft, which verified the vulnerability and assigned it as CVE-2024-30051.

Following the report, Kaspersky began monitoring exploits and attacks using this previously unknown vulnerability. In mid-April, the team detected that this vulnerability had been exploited, using an exploit used along with the banking Trojan QakBot and other malware, which indicates that several threat agents had access to the vulnerability.

“We found the VirusTotal document interesting because of its descriptive nature and decided to investigate further, which led us to discover this critical zero-day vulnerability”, said Boris Larin, senior security researcher at Kaspersky’s global Research and Analysis (GReAT) team. “The speed with which threat agents are integrating this exploit into their arsenal underscores the importance of timely updates and cybersecurity surveillance”.

Kaspersky will release more technical details of CVE-2024-30051 once enough time has passed for most users to upgrade their Windows systems. Kaspersky extends its thanks to Microsoft for its prompt review and release of patches.

Kaspersky products have been updated to detect exploits and attacks using CVE-2024-30051 with the following verdicts:

  • Exploit.Win32.Generic
  • PDM:Trojan.Win32.Generic
  • UDS:DangerousObject.CAP_FIRST$generic
  • Trojan.Win32.Agent.gen
  • Trojan.Win32.CobaltStrike.gen

As for QakBot, Kaspersky has been tracking this sophisticated banking trojan since its discovery in 2007. Originally designed for bank credential theft, QakBot has evolved significantly, acquiring new features such as email theft, keylogging and the ability to spread and install ransomware. Malware is known for its frequent updates and improvements, making it a persistent threat in the cybersecurity landscape. In recent years, it has been observed that QakBot takes advantage of other botnets such as Emotet for distribution.