Russian threat actor known as RomCom was linked to the exploitation of two zero-day security flaws, one in Mozilla Firefox and the other in Microsoft Windows, in attacks aimed at delivering a backdoor of the same name to victim systems.
“In a successful attack, when the victim views a web page containing the exploit, the adversary can run arbitrary code – without the need for user interaction (zero click) – which in this case resulted in the RomCom backdoor being installed on the victim’s computer,” it said ESET messages the report shared with The Hacker News.
The vulnerabilities in question are listed below –
- CVE-2024-9680 (CVSS Score: 9.8) – Use-after-free vulnerability in the Firefox animation component (Fixed by Mozilla October 2024)
- CVE-2024-49039 (CVSS Score: 8.8) – Windows Task Scheduler Elevation of Privilege Vulnerability (Fixed by Microsoft November 2024)
RomComalso known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a track record of conducting both cybercrime and espionage operations since at least 2022.
These attacks are characterized by the deployment of the RomCom RAT, an actively supported piece of malware capable of executing commands and loading additional modules onto the victim’s machine.
The chain of attacks discovered by a Slovak cyber security company involved the use of a fake website (economistjournal(.)cloud) responsible for redirecting potential victims to a server (redjournal(.)cloud) hosting a malicious payload that, in its queue, combines both flaws to achieve code execution and reject the RomCom RAT.
It is currently unknown how the links to the fake site are distributed, but it has been discovered that the exploit is triggered when the site is visited from a vulnerable version of the Firefox browser.
“When a victim using a vulnerable browser visits a web page that serves this exploit, the vulnerability is triggered and shellcode is executed in content process“, ESET explained.
“The shellcode consists of two parts: the first retrieves the second from memory and marks the pages containing it as executable, and the second implements the PE loader, based on the Shellcode Reflective DLL Injection open source project (RDI).”
The result is a sandboxed exit for Firefox that eventually causes the RomCom RAT to download and run on the compromised system. This is achieved using a built-in library (“PocLowIL”) that is designed to break out of the browser’s sandboxed content process by exploiting a flaw in the Windows Task Scheduler to gain elevated privileges.
Telemetry data collected by ESET shows that the majority of victims who visited the site with the exploit were located in Europe and North America.
The fact that CVE-2024-49039 was also independently discovered and reported to Microsoft by Google’s Threat Analysis Group (TAG) suggests that more than one threat actor could have used it as a zero-day.
It’s also worth noting that this is the second time a RomCom has been caught exploiting a zero-day vulnerability in the wild after being abused CVE-2023-36884 via Microsoft Word in June 2023.
“The combination of two zero-day vulnerabilities armed RomCom with an exploit that does not require user interaction,” ESET said. “This level of sophistication indicates the will and means of the threat actor to obtain or develop latent capabilities.”
