Kaspersky researchers Boris Larin and Mert Degirmenci have identified a new zero-day vulnerability in Windows, designated CVE-2024-30051. This discovery was made while investigating the Windows DWM Core Library Elevation of Privilege vulnerability (CVE-2023-36033) in early April 2024. A patch was released on May 14, 2024, as part of Microsoft’s May Patch Tuesday.
On April 1, 2024, a document uploaded to VirusTotal caught the attention of Kaspersky researchers. The document, with a descriptive file name, hinted at a potential Windows OS vulnerability. Despite the broken English and missing details on how to trigger the vulnerability, the document described an exploitation process identical to the zero-day exploit for CVE-2023-36033, though the vulnerabilities differed. Suspecting the vulnerability to be either fictional or unexploitable, the team proceeded with their investigation. A quick check revealed that it was a genuine zero-day vulnerability capable of escalating system privileges.
Kaspersky promptly reported their findings to Microsoft, who verified the vulnerability and assigned it CVE-2024-30051.
Following the report, Kaspersky began monitoring for exploits and attacks using this zero-day vulnerability. By mid-April, the team detected an exploit for CVE-2024-30051, observing its use in conjunction with QakBot and other malware, indicating that multiple threat actors have access to this exploit.
"We found the document on VirusTotal intriguing due to its descriptive nature and decided to investigate further, which led us to discover this critical zero-day vulnerability," said Boris Larin, principal security researcher at Kaspersky GReAT. "The speed with which threat actors are integrating this exploit into their arsenal underscores the importance of timely updates and vigilance in cybersecurity."
Kaspersky plans to release technical details about CVE-2024-30051 once sufficient time has passed for most users to update their Windows systems. Kaspersky extends its gratitude to Microsoft for their prompt analysis and release of patches.
Kaspersky products have been updated to detect the exploitation of CVE-2024-30051 and related malware with the following verdicts:
- PDM:Exploit.Win32.Generic
- PDM:Trojan.Win32.Generic
- UDS:DangerousObject.Multi.Generic
- Trojan.Win32.Agent.gen
- Trojan.Win32.CobaltStrike.gen
Kaspersky has been tracking QakBot, a sophisticated banking Trojan, since its discovery in 2007. Originally designed to steal banking credentials, QakBot has evolved significantly, acquiring new functionalities such as email theft, keylogging, and the ability to spread itself and install ransomware. The malware is known for its frequent updates and enhancements, making it a persistent threat in the cybersecurity landscape. In recent years, QakBot has been observed leveraging other botnets, such as Emotet, for distribution.
More information is available via Securelist.