In a recent development, Microsoft has successfully addressed a zero-day vulnerability that was being exploited by cyber attackers to distribute malware, including the notorious QakBot, on vulnerable Windows systems. Tracked as CVE-2024-30051, this privilege escalation bug stemmed from a heap-based buffer overflow in the Desktop Window Manager (DWM) core library.

The Desktop Window Manager is a Windows service introduced in Windows Vista, which enhances the operating system's graphical user interface elements, such as glass window frames and 3D transition animations, through hardware acceleration.

The vulnerability was discovered by Kaspersky security researchers during their investigation into another privilege escalation bug in the DWM Core Library, tracked as CVE-2023-36033, which was also being exploited in zero-day attacks.

While going through data related to recent exploits and associated attacks, the researchers stumbled upon a file uploaded to VirusTotal on April 1, 2024, which appeared to contain information about a Windows vulnerability. Despite the document's shortcomings and limited details on the exploitation method, Kaspersky confirmed the existence of a new zero-day privilege escalation vulnerability in the Windows DWM Core Library.

After Microsoft was notified about the vulnerability, they promptly patched it during the latest Patch Tuesday. Kaspersky revealed that their ongoing monitoring efforts detected an exploit for this zero-day vulnerability in mid-April, which was being used alongside QakBot and other malware by multiple threat actors.

The zero-day vulnerability was also reported to Microsoft by security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google Mandiant. Their findings suggested that the vulnerability was likely being widely exploited in various malware attacks.

QakBot (also known as Qbot) originally emerged as a banking trojan back in 2008, primarily targeting financial fraud by stealing banking credentials, website cookies, and credit card information. Over time, it evolved into a malware delivery service, partnering with other threat groups to facilitate initial access for ransomware attacks, espionage, or data theft.

Although law enforcement dismantled QakBot's infrastructure in August 2023 through Operation 'Duck Hunt,' the malware made a comeback in December through phishing campaigns targeting the hospitality industry. QakBot has been connected to at least 40 ransomware attacks, causing substantial financial damage to numerous companies, healthcare providers, and government agencies worldwide.

Throughout its existence, QakBot has served as an initial infection vector for various ransomware gangs, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and most recently, Black Basta.

With the prompt response from Microsoft in patching the zero-day vulnerability, users are urged to install the latest Windows updates to ensure their systems' security and protection against malware attacks.