Friend
Professional
- Messages
- 2,670
- Reaction score
- 885
- Points
- 113
One wrong step and the system comes under the full control of intruders.
Chinese security researchers recently discovered real-world attacks exploiting the CVE-2024-30051 vulnerability (CVSS scale score: 7.8), which was used in cyberattacks related to QakBot, a known banking Trojan. The vulnerability was first noticed by Kaspersky Lab specialists in April 2024. The flaw is related to the «dwmcore.dll" library, which is responsible for the Desktop Window Manager process in Windows.
By exploiting this vulnerability, attackers can control the memory allocation process, which leads to a buffer overflow and allows data to be written outside the allocated area. This paves the way for arbitrary code execution on the target machine.
The attackers exploited a vulnerability in the DirectComposition system, which is responsible for controlling visual elements in Windows. They sent special commands through vulnerable functions, which disrupted the normal operation of the system. This made it possible to change system processes and obtain elevated access rights.
Notably, a sophisticated memory manipulation technique was used to exploit the vulnerability, including the creation of special objects such as CHolographicInteropTextureMarshaler. During the attack, the attackers injected malicious code into these objects and controlled the execution of commands at the system level.
After successfully exploiting the vulnerability, the attackers downloaded malicious libraries, which allowed them to execute arbitrary commands and run programs with elevated privileges. At some point, the attackers even exploited the vulnerability to interact with the UAC (User Account Control) process in Windows, which gave them access to system functions and allowed them to bypass standard security mechanisms.
Researchers note that such techniques for exploiting vulnerabilities indicate the high level of training of malware developers. In particular, experts suggest that QakBot has the resources to acquire and exploit 0day vulnerabilities, which confirms its active and long-term activity in the field of cyberattacks.
According to experts, in the future, we can expect an increase in the number of such attacks, especially from financially secure groups that use modern vulnerabilities to attack large organizations.
Source
Chinese security researchers recently discovered real-world attacks exploiting the CVE-2024-30051 vulnerability (CVSS scale score: 7.8), which was used in cyberattacks related to QakBot, a known banking Trojan. The vulnerability was first noticed by Kaspersky Lab specialists in April 2024. The flaw is related to the «dwmcore.dll" library, which is responsible for the Desktop Window Manager process in Windows.
By exploiting this vulnerability, attackers can control the memory allocation process, which leads to a buffer overflow and allows data to be written outside the allocated area. This paves the way for arbitrary code execution on the target machine.
The attackers exploited a vulnerability in the DirectComposition system, which is responsible for controlling visual elements in Windows. They sent special commands through vulnerable functions, which disrupted the normal operation of the system. This made it possible to change system processes and obtain elevated access rights.
Notably, a sophisticated memory manipulation technique was used to exploit the vulnerability, including the creation of special objects such as CHolographicInteropTextureMarshaler. During the attack, the attackers injected malicious code into these objects and controlled the execution of commands at the system level.
After successfully exploiting the vulnerability, the attackers downloaded malicious libraries, which allowed them to execute arbitrary commands and run programs with elevated privileges. At some point, the attackers even exploited the vulnerability to interact with the UAC (User Account Control) process in Windows, which gave them access to system functions and allowed them to bypass standard security mechanisms.
Researchers note that such techniques for exploiting vulnerabilities indicate the high level of training of malware developers. In particular, experts suggest that QakBot has the resources to acquire and exploit 0day vulnerabilities, which confirms its active and long-term activity in the field of cyberattacks.
According to experts, in the future, we can expect an increase in the number of such attacks, especially from financially secure groups that use modern vulnerabilities to attack large organizations.
Source
