Cyber security news for all

More

    RomCom Exploits Zero-Day Vulnerabilities in Firefox and Windows for Complex Cyber Intrusions

    The Russia-aligned cyber adversary, RomCom, has been implicated in leveraging two newly identified zero-day vulnerabilities—one targeting Mozilla Firefox and the other compromising Microsoft Windows—in a sophisticated campaign to propagate its bespoke backdoor malware.

    According to ESET’s detailed analysis shared with The Hacker News, “A successful compromise enables an attacker to execute arbitrary commands on the victim’s machine without requiring any user interaction. This zero-click methodology facilitates the clandestine installation of RomCom’s backdoor.”

    The vulnerabilities exploited include the following:

    • CVE-2024-9680 (CVSS score: 9.8): A critical use-after-free flaw in Firefox’s animation subsystem (patched by Mozilla in October 2024).
    • CVE-2024-49039 (CVSS score: 8.8): A privilege escalation loophole in Windows Task Scheduler (remediated by Microsoft in November 2024).

    RomCom, also referred to as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, or Void Rabisu, has maintained a dual-pronged strategy of cybercrime and espionage operations since its emergence in 2022. These campaigns are distinguished by their deployment of RomCom RAT, a robust malware tool capable of command execution and modular payload retrieval.

    Intrusion Pathway and Methodology

    The Slovakian cybersecurity firm unearthed a chain of attacks involving a counterfeit website, economistjournal[.]cloud, which funnels unsuspecting victims to a payload-distributing server, redjournal[.]cloud. This server orchestrates the exploitation of both vulnerabilities in unison, enabling arbitrary code execution and the subsequent deployment of the RomCom RAT.

    ESET has yet to ascertain the precise method by which users are lured to the spoofed website. However, analysis reveals that the exploit activates when users access the site via a Firefox browser version vulnerable to CVE-2024-9680.

    “If a compromised browser encounters this exploit-laden webpage, the vulnerability is triggered, leading to the execution of shellcode within a content process,” ESET explained.

    The shellcode operates in two stages: the initial phase retrieves and sets the stage for the secondary payload by marking necessary memory pages as executable. The second phase employs a PE loader—built on the open-source Shellcode Reflective DLL Injection (RDI) framework—to facilitate further actions.

    This sequence enables a sandbox escape within Firefox, ultimately leading to the download and execution of the RomCom RAT. The exploitation hinges on an embedded library, “PocLowIL,” which weaponizes the Windows Task Scheduler vulnerability to bypass browser security confines and escalate privileges.

    Geographical Impact and Broader Implications

    ESET’s telemetry indicates that the majority of affected users are concentrated in Europe and North America. The simultaneous discovery of CVE-2024-49039 by Google’s Threat Analysis Group (TAG) underscores the potential involvement of multiple threat actors leveraging this zero-day flaw.

    This marks RomCom’s second recorded instance of active zero-day exploitation, following its abuse of CVE-2023-36884 via Microsoft Word in mid-2023.

    ESET emphasized the advanced nature of these attacks: “By chaining together two zero-day vulnerabilities, RomCom has crafted an exploit framework requiring no user interaction. This intricate approach underscores the group’s capacity to obtain or engineer highly covert and effective tools.”

    Recent Articles

    Related Stories