Chinese Researchers Expose QakBot’s New Weapon: CVE-2024-30051
Chinese security researchers have recently uncovered real-world attacks exploiting the CVE-2024-30051 vulnerability (CVSS score: 7.8), which has been linked to cyberattacks involving QakBot, a notorious banking trojan. The vulnerability was first identified by Kaspersky Lab specialists in April 2024. The flaw is associated with the “dwmcore.dll” library, responsible for the Desktop Window Manager process in Windows.
By exploiting this vulnerability, attackers can manipulate memory allocation, leading to a buffer overflow and enabling data to be written outside the allocated space. This paves the way for arbitrary code execution on the target machine.
The attackers exploited a flaw in the DirectComposition system, which manages visual elements in Windows. They sent specially crafted commands through vulnerable functions, disrupting the system’s normal operation. This allowed them to modify system processes and escalate privileges.
Notably, the exploitation of this vulnerability involved sophisticated memory manipulation techniques, including the creation of specialized objects such as CHolographicInteropTextureMarshaler. During the attack, the malicious actors injected code into these objects and controlled the execution of commands at the system level.
After successfully exploiting the vulnerability, the attackers loaded malicious libraries, enabling them to execute arbitrary commands and launch programs with elevated privileges. At one point, they even leveraged the vulnerability to interact with the Windows User Account Control (UAC) process, granting them access to system functions and bypassing standard security mechanisms.
Researchers highlight that such exploitation techniques demonstrate the advanced skills of malware developers. In particular, experts suggest that QakBot possesses the resources to acquire and utilize zero-day vulnerabilities, confirming its active and long-standing role in cyberattacks.
Experts predict an increase in similar attacks in the future, particularly from financially backed groups that leverage modern vulnerabilities to target large organizations.