CVE-2024-30051: Windows Zero-Day Vulnerability Exploited to Deliver QakBot Malware

Microsoft has urgently addressed a critical zero-day vulnerability, known as CVE-2024-30051, that was actively exploited by attackers to deliver the notorious QakBot malware and other malicious payloads. This security flaw, residing in the Windows Desktop Window Manager (DWM) core library, allowed threat actors to escalate their privileges to the highest system level, gaining full control over compromised machines.

Kaspersky Uncovers the Flaw

The vulnerability was uncovered by researchers at Kaspersky during an investigation into another DWM-related zero-day exploit. They discovered a document uploaded to VirusTotal that contained information about the flaw, which could be leveraged to elevate privileges to SYSTEM level. Despite some missing details, Kaspersky confirmed the existence of the vulnerability and promptly reported it to Microsoft.

Zero-Day Exploits and QakBot’s Resurgence

Microsoft swiftly assigned the CVE-2024-30051 (CVSS 7.8) identifier to the vulnerability and released a patch during this month’s Patch Tuesday. However, Kaspersky’s monitoring revealed that the vulnerability was already being exploited in conjunction with QakBot and other malware, suggesting multiple threat actors had access to the exploit.

QakBot, infamous for its history as a banking trojan and malware delivery service, has been linked to numerous high-profile ransomware attacks and data breaches. Despite a previous takedown in 2023, the malware resurfaced in targeted phishing campaigns against the hospitality industry.

Immediate Action Required

Users and organizations are strongly advised to apply the latest Windows security updates without delay to mitigate the risk of compromise. Given the severity of the vulnerability and its active exploitation, prompt action is crucial to protect systems from QakBot and other malicious threats.