cbcvebase.
CVE-2024-51324
published 2025-02-11

CVE-2024-51324: An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own…

PriorityP180low3.8CVSS 3.1
AVNACLPRHUINSUCLILAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.47%
37.1th percentile
An issue in the BdApiUtil driver of Baidu Antivirus v5.2.3.116083 allows attackers to terminate arbitrary process via executing a BYOVD (Bring Your Own Vulnerable Driver) attack.

Detection & IOCsextracted from sources · hover to see the quote

other0x800024b4
registryHKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
commandnetsh advfirewall firewall add rule name=allow RemoteDesktop dir=in protocol=TCP localport=3389 action=allow
commandC:\AnyDesk.exe --install C:\Program Files (x86)\AnyDesk --start-with-win --silent --update-disabled
commandSystemSettingsAdminFlows.exe Defender RTP 1
commandSystemSettingsAdminFlows.exe Defender SpynetReporting 0
commandSystemSettingsAdminFlows.exe Defender SubmitSamplesConsent 0
commandSystemSettingsAdminFlows.exe Defender DisableEnhancedNotifications 1
other10581067105910871088211520721049106420921068109010791065111492178193
otherWin.Tool.EDRKiller-10058432-0
snort
SID 65576
snort
SID 65575
snort
SID 301358
  • Detect IOCTL 0x800024b4 sent to the \.\ BdApiUtil device — this is the specific control code used to trigger the CVE-2024-51324 kernel-level process termination primitive from user mode.
  • Detect PowerShell launched with 'exec bypass' and the 'RunAs' verb (UAC bypass pattern) followed by mass service stop/disable commands — this is the pre-encryption preparation script used by the DeadLock actor.
  • Detect use of SystemSettingsAdminFlows.exe with Defender-related arguments (RTP, SpynetReporting, SubmitSamplesConsent, DisableEnhancedNotifications) — used as a living-off-the-land binary to disable Windows Defender without direct registry writes.
  • Monitor for AnyDesk silent installation with --update-disabled and --start-with-win flags from an unusual parent process or path — used by the actor to establish persistent remote access one day before encryption.
  • Detect the DeadLock ransomware configuration delimiter pattern: pipe-separated 8,888-byte embedded config block with the hardcoded seed string '10581067105910871088211520721049106420921068109010791065111492178193'.
  • Alert on reg add setting fDenyTSConnections to 0 combined with a netsh firewall rule opening TCP/3389 in the same session — this is the actor's RDP enablement sequence.
  • ·The DeadLock ransomware embeds an 8,888-byte pipe-delimited configuration block directly in the binary covering crypto seed, timing, kill lists, excluded extensions/paths, campaign ID, ransom note, and visual data — defenders should parse this structure when analyzing samples.
  • ·The ransomware uses time-based cryptographic keys derived from timing parameters (1000, 0055242988) in the config — static key extraction may be insufficient; timing context at execution is required for decryption.
  • ·The actor disabled several commands in the PowerShell script (network share deletion, alternative process termination methods) — these may be re-enabled in future variants, so defenders should not assume the observed script represents the full capability.
  • ·DeadLock does not operate a data leak site; victim contact is exclusively via Session messenger — traditional dark-web leak site monitoring will not provide early warning for this actor.

CVSS provenance

nvdv3.13.8LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
vulncheck3.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.