Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft Patches Two Zero-Days Exploited for Malware Delivery

Microsoft patches CVE-2024-29988 and CVE-2024-26234, two zero-day vulnerabilities exploited by threat actors to deliver malware.

Microsoft Zero-Days

The largest batch of Patch Tuesday updates released by Microsoft since at least 2017 addresses two zero-day vulnerabilities that have been exploited to deliver malware.

Microsoft’s Patch Tuesday updates for April 2024 fix roughly 150 vulnerabilities, including two Windows flaws that appear to have been exploited in the wild.

One of them is CVE-2024-26234, which Microsoft has described as an important-severity proxy driver spoofing vulnerability.

Sophos, which reported the issue to Microsoft back in December 2023, became aware of malicious attacks after receiving a report for an alleged false positive detection on an executable file signed with a valid Windows Hardware Compatibility Program (WHCP) certificate.

Further analysis revealed that it was in fact a malicious backdoor file apparently associated with an Android screen mirroring application named LaiXi. The app is described as marketing software that can be used to “connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting to grow your audience”.

Sophos’ investigation showed that the malicious file embeds a very small freeware proxy server that researchers believe is used to monitor and intercept network traffic on infected systems.

The certificate used to sign the file analyzed by Sophos was requested by a company named Hainan YouHu Technology Co. Ltd, which is listed as the developer of LaiXi.

“We have no evidence to suggest that the LaiXi developers deliberately embedded the malicious file into their product, or that a threat actor conducted a supply chain attack to insert it into the compilation/building process of the LaiXi application,” Sophis explained.

Advertisement. Scroll to continue reading.

It added, “However, we will note that given the links between LaiXi and the malicious backdoor we investigated […] users should exercise extreme caution when it comes to downloading, installing, and using LaiXi.”

Cybersecurity firm Stairwell published its own analysis of the LaiXi application and the malicious files back in January. 

Microsoft addressed the issue with the latest Patch Tuesday updates by adding the relevant files to its driver revocation list.

While Microsoft’s advisory does confirm CVE-2024-26234 as being exploited in the wild, the tech giant’s advisory for the second vulnerability that appears to have been exploited, CVE-2024-29988, does not mention anything about malicious exploitation.

According to Trend Micro’s Zero Day Initiative, CVE-2024-29988 is a SmartScreen prompt security feature bypass that has been observed as being exploited in the wild. 

CVE-2024-29988 can be used to bypass the Mark of the Web (MotW) security feature. ZDI’s Peter Girnus, who has been credited by Microsoft for reporting the vulnerability, said the flaw was found during research into a campaign conducted by the threat group Water Hydra (DarkCasino).

The Water Hydra attacks involved exploitation of CVE-2024-21412, which is similar to CVE-2024-29988. CVE-2024-21412 had been leveraged to bypass Microsoft Defender SmartScreen and deliver a piece of malware named DarkMe to financial market traders. 

Related: Microsoft SmartScreen Zero-Day Exploited to Deliver Magniber Ransomware

Related: Microsoft Fixes Exploited Zero-Days in WordPad, Skype for Business

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights