Qakbot's Windows 0-Days: Your Desktop Just Got RCE'd, No Questions Asked
Back to Blog
Malware Analysis
May 13, 20267 min read

Qakbot's Windows 0-Days: Your Desktop Just Got RCE'd, No Questions Asked

S
Shubham Singla

Alright, let's talk shop. Just when you thought Qakbot had packed its bags and was off to hack some other planet, it resurfaced, meaner and with a fresh set of zero-days under its belt. Forget the old tricks; this time, it's hitting where it hurts: your Windows desktop, no questions asked, thanks to some newly patched RCEs. If you're running Windows, and let's be real, most of you are, you need to pay attention.

A digital shield with a padlock icon, symbolizing cybersecurity protection

This isn't some complex supply chain attack or a sophisticated APT zero-day targeting obscure firmware. This is good old-fashioned Windows exploitation, delivered by one of the most persistent botnets out there. We're talking about CVE-2024-30046, a Remote Code Execution vulnerability in the Windows DWM Core Library, and CVE-2024-30050, a nasty Mark-of-the-Web bypass. Both were patched in May 2024, and both are already being weaponized by Qakbot.

The Desktop's Brain: DWM Core Library RCE (CVE-2024-30046)

Let's break down CVE-2024-30046. The DWM Core Library – that's your Desktop Window Manager. Think of it as the compositor for your Windows desktop. It's the engine that makes your windows look pretty, handles Aero Peek, live thumbnails, and all that visual flair. It runs with serious privileges, because it needs to manage the entire graphical output of your system. And now, it has an RCE flaw.

An RCE in DWM means an attacker, typically after initial access (like a user clicking a malicious file), can leverage this bug to escalate privileges. We're talking about jumping from a low-privileged user context straight to SYSTEM. If you're a developer, you know SYSTEM is essentially God-mode on a Windows box. It's game over. From there, persistent implants, lateral movement, data exfiltration – whatever the attacker's heart desires.

This isn't some theoretical vulnerability. It's been actively exploited in the wild, likely as part of the Qakbot infection chain. A user gets phished, runs a script, and then this RCE kicks in to elevate privileges, ensuring the malware can burrow deep into the system without much fuss. It's a classic privilege escalation, but in a component that often gets overlooked.

Bypassing Trust: The Mark-of-the-Web Skip (CVE-2024-30050)

Now, let's talk about CVE-2024-30050. This one's a Mark-of-the-Web (MotW) bypass. If you're not familiar, MotW is a security feature in Windows. When you download a file from the internet, Windows adds a special identifier (an NTFS alternate data stream, Zone.Identifier) to it, marking it as originating from an untrusted zone. This is why you get those pesky 'Are you sure you want to run this file?' warnings, or why Office macros are disabled by default in documents from the internet.

MotW is a pretty effective speed bump for attackers. It forces users to explicitly acknowledge risk, and it gives security tools a heads-up. But Qakbot found a way around it. This bypass means that a file downloaded from the internet can be treated by Windows as if it came from a trusted source, like your local network or created on the system itself. No warnings, no disabled macros, just a straight shot to execution.

Combine this with the DWM RCE, and you have a nasty cocktail. Phishing email delivers a document or a zip file. User opens it. Thanks to CVE-2024-30050, Windows doesn't flag it as dangerous. The payload executes, potentially leveraging CVE-2024-30046 for privilege escalation, and boom – Qakbot is running with SYSTEM privileges, ready to wreak havoc. It's like letting a stranger into your house and then giving them the keys to your safe.

A digital world map showing interconnected threat indicators

Qakbot's New Attack Chain: From Phish to Pwn

Qakbot, also known as Qbot or Phorpiex, has been a thorn in everyone's side for over a decade. It's a modular banking trojan that's evolved into a full-blown botnet, capable of ransomware delivery, information stealing, and more. When it gets new zero-days, you know it's going to use them effectively.

The typical Qakbot infection chain often starts with phishing – email threads hijacking, malicious attachments (ZIPs, ISOs, LNKs, password-protected documents). With these new vulnerabilities, the chain likely looks something like this:

  1. Initial Access: Phishing email with a malicious attachment (T1566.001 - Phishing: Spearphishing Attachment).
  2. Execution Prep: The attachment contains a script or executable. CVE-2024-30050 bypasses MotW, allowing the payload to execute without security prompts (T1204.002 - User Execution: Malicious File).
  3. Privilege Escalation: The initial payload then exploits CVE-2024-30046 in the DWM Core Library to elevate privileges to SYSTEM (T1068 - Exploitation for Privilege Escalation, specifically T1068.001 - Exploitation for Privilege Escalation: Exploitation of Vulnerability).
  4. Further Actions: With SYSTEM access, Qakbot establishes persistence (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), performs discovery, collects credentials, and prepares for lateral movement or ransomware deployment. It'll often use command and scripting interpreters like PowerShell or cmd.exe (T1059.001 - PowerShell, T1059.003 - Windows Command Shell) for executing its modules.
"This isn't some theoretical vulnerability. It's been actively exploited in the wild, likely as part of the Qakbot infection chain."

What You Need To Do – Yesterday.

Look, these aren't vulnerabilities you can sweep under the rug. Active exploitation by a major botnet means these holes are being leveraged right now to compromise systems globally. Don't be that guy who waits.

Actionable Takeaways:

  • Patch Immediately: Apply the May 2024 Patch Tuesday updates for Windows. Specifically, ensure patches for CVE-2024-30046 and CVE-2024-30050 are installed. This is non-negotiable.
  • Strengthen Email Security: Implement robust email filtering to catch phishing attempts before they reach users. This includes DMARC, SPF, DKIM, and advanced threat protection that scans attachments and links.
  • User Awareness Training: Regularly train your users to spot and report phishing emails. No tech solution is foolproof if users are clicking every suspicious link. Remind them about checking sender details, looking for inconsistencies, and verifying unusual requests.
  • Endpoint Detection and Response (EDR): Ensure your EDR solution is up-to-date and configured to detect unusual process execution, privilege escalation attempts, and suspicious network activity. An RCE to SYSTEM should trip a few alarms.
  • Principle of Least Privilege: Enforce least privilege across your organization. Even if Qakbot gains initial access, limiting user permissions can reduce the blast radius and make it harder for the malware to escalate or move laterally.
  • Disable Unnecessary Features: If you're not using certain features that could be abused, disable them. While DWM is pretty core, scrutinizing other Windows components for unnecessary exposure is always a good practice.