Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Microsoft Patches Zero-Day Exploited by Qakbot

Kaspersky Says It Spotted Qakbot Operators Exploiting the Flaw in April
Microsoft Patches Zero-Day Exploited by Qakbot
Researchers from Kaspersky say QakBot hackers used a now-patched Windows zero-day. (Image: Shutterstock)

Microsoft issued a patch Tuesday for a Windows zero-day vulnerability that security researchers say operators of the Qakbot botnet and other hackers actively exploited.

See Also: OnDemand | CybeRx - How to Automatically Protect Rockwell OT Customers from Today’s Cyber-Attacks

U.S. authorities in August dismantled the botnet, also known as Qbot, and told reporters that it "ceased to operate" as a result of an antimalware campaign dubbed Operation Duck Hunt. Malware analysts within months observed a resurgence - a comeback that other operators of major Trojans have also managed following infrastructure takedowns (see: More Signs of a Qakbot Resurgence).

Researchers from cybersecurity firm Kaspersky said they spotted Qakbot operators in mid-April using the Windows zero-day, tracked as CVE-2024-30051. The elevation of privilege flaw is rated "important" on the CVSS scale. Telemetry suggests that multiple threat actors have exploited it, Kaspersky said. Microsoft said researchers from DBAPPSecurity, Google and Google-owned Mandiant also notified it about the vulnerability.

The flaw resides in the Desktop Window Manager, the function in Microsoft operating systems since Vista that provides an off-screen buffer for each window, the better to render displays and apply effects such as snapping windows.

"These types of bugs are usually combined with a code execution bug to take over a target and are often used by ransomware. Microsoft credits four different groups for reporting the bug, which indicates the attacks are widespread," said Dustin Childs of the Zero Day Initiative.

Kaspersky researchers found the flaw while researching another one - a patched Windows flaw also located in the Desktop Window Manager. A hunt for malware samples led them to "a curious document uploaded to VirusTotal on April 1" containing a brief description in "very broken English" of the zero-day and how to exploit to gain system privileges.

Qakbot was created in 2008 as a banking Trojan, but its operators evolved over the years to become an initial access broker for other cybercriminals. They've sold access to criminal gangs, including Russian-speaking ransomware operations.

Microsoft's latest Patch Tuesday fixes two active zero-days including the flaw exploited by Qakbot. The other, tracked as CVE-2024-30040, is also "important" on the CVSS scale. The vulnerability lies in browser engine MSHTML, which renders web pages frequently connected to Internet Explorer. Microsoft maintains the render active in operating systems for compatibility reasons despite Internet Explorer's long-ago deprecation. A hacker who social-engineers a victim into opening a malicious document would be able to execute arbitrary code by passing OLE mitigations in the Microsoft suite of office applications.

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.