In a sophisticated wave of cyberattacks, a Russia linked threat group RomCom has exploited two zero-day vulnerabilities—one in Mozilla Firefox and the other in Microsoft Windows. These exploits allow the delivery of RomCom’s backdoor malware, posing a severe threat to organizations across Europe, North America, and Ukraine.
According to cybersecurity firm ESET, “A successful attack enables the adversary to execute arbitrary code with zero user interaction, ultimately leading to the installation of the RomCom backdoor on the victim’s system.” Let’s dive into the details of the vulnerabilities, the attack chain, and the broader implications of these attacks
The Vulnerabilities
- Description: A use-after-free vulnerability in Firefox’s animation component.
- Severity: CVSS Score 9.8 (Critical).
- Impact: Remote code execution (RCE) within Firefox’s sandbox.
- Patch Date: October 2024, swiftly addressed by Mozilla after being reported by ESET.
- Description: A privilege escalation vulnerability in Windows Task Scheduler.
- Severity: CVSS Score 8.8 (High).
- Impact: Escalated privileges enabling code execution beyond browser sandboxes.
- Patch Date: November 2024, resolved by Microsoft after disclosure by Google’s Threat Analysis Group (TAG).
By chaining these vulnerabilities, attackers achieved a seamless zero-click exploit chain that bypasses user interaction, showcasing a dangerous level of sophistication.
The Attack Chain: Anatomy of Exploitation
The attack begins with a maliciously crafted fake website (economistjournal[.]cloud). Visitors using a vulnerable version of Firefox are redirected to a secondary server (redjournal[.]cloud) that hosts the payload.
Triggering the Exploit:
When a vulnerable user visits the fake website, the Firefox vulnerability (CVE-2024-9680) is exploited, allowing the injection of malicious shellcode.Shellcode Execution:
The shellcode executes in two stages:- Stage 1: Retrieves additional shellcode from memory and marks it executable.
- Stage 2: Loads a Portable Executable (PE) using Shellcode Reflective DLL Injection, bypassing sandbox restrictions.
Breaking the Sandbox:
To escalate privileges, the embedded library PocLowIL weaponizes the Windows Task Scheduler vulnerability (CVE-2024-49039). This enables the installation of the RomCom RAT with elevated privileges.Final Payload Deployment:
Once installed, the backdoor provides attackers with a robust toolkit for command execution, further payload delivery, and data exfiltration.
Targeted Campaigns and Victimology
ESET’s telemetry reveals that RomCom’s campaign primarily targets organizations in Europe and North America, with a particular focus on critical industries such as:
- Government and defense.
- Energy and utilities.
- Pharmaceuticals and insurance.
Heatmap Analysis: The majority of victims are concentrated in Ukraine, where RomCom has shifted its focus to espionage operations targeting governmental and defense entities. Notably, this isn’t its first foray into zero-day exploitation. In June 2023, the group abused CVE-2023-36884 via Microsoft Word to target organizations attending the NATO Summit in Lithuania.
Attribution and Broader Implications
RomCom, also tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has been active since at least 2022. Initially associated with financially motivated ransomware and credential theft campaigns, the group has evolved into a significant threat actor engaging in both cybercrime and espionage.
Key Observations:
- Zero-Day Arsenal: The group’s ability to chain zero-day vulnerabilities underscores access to advanced resources, either through development or procurement from exploit brokers.
- Shifting Focus: While early campaigns targeted financial gain, recent operations have pivoted toward espionage, particularly against geopolitical adversaries in Europe and Ukraine.
- Broader Impacts: Collaboration with other threat actors, such as leveraging exploits identified by Google TAG, raises concerns about potential partnerships or overlapping interests.
Mitigation and Actionable Steps
Patch Management:
Ensure all systems are updated with the latest security patches from Mozilla (October 2024) and Microsoft (November 2024). Prioritize systems running Firefox and Windows, especially those exposed to high-risk environments.Browser Hardening:
- Disable unnecessary browser features, such as JavaScript animations, to minimize exposure to similar vulnerabilities.
- Regularly update browsers and verify the authenticity of browser extensions.
Network Segmentation:
Isolate critical systems and sensitive data from endpoints with internet access. Use network segmentation to limit lateral movement.Email and Web Security:
- Deploy robust email filtering to block malicious links.
- Implement web filtering to restrict access to known malicious domains, such as economistjournal[.]cloud.
Threat Detection and Incident Response:
- Monitor network traffic for anomalies linked to RAT activity.
- Conduct forensic investigations to identify indicators of compromise (IOCs), including connections to suspicious domains.
Summary
RomCom’s exploitation of two zero-day vulnerabilities represents a high-stakes escalation in cyber threat sophistication. By chaining together CVE-2024-9680 and CVE-2024-49039, the group demonstrated its capacity for stealth and precision, posing significant risks to organizations worldwide.
For cybersecurity professionals, this incident underscores the importance of proactive vulnerability management, robust threat intelligence, and layered defenses. As RomCom’s tactics evolve, staying ahead requires not only patching vulnerabilities but also anticipating the next wave of sophisticated attacks.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Hackers Exploit Avast Anti-Rootkit Driver to System Takeover