RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks
Summary:
The Russia-aligned threat actor RomCom has been linked to the exploitation of two critical zero-day vulnerabilities, one in Mozilla Firefox (CVE-2024-9680, CVSS 9.8) and the other in Microsoft Windows (CVE-2024-49039, CVSS 8.8), as part of a sophisticated campaign to deliver their eponymous backdoor malware. The attack begins when victims visit a malicious website, using a vulnerable version of Firefox. The exploit triggers shellcode execution, which escapes the browser’s sandbox by leveraging an embedded library and escalates privileges via the Windows Task Scheduler flaw. The vulnerabilities, patched in October and November 2024, posed significant risks before their disclosure, enabling attackers to execute arbitrary code with no user interaction required.
The RomCom backdoor is deployed through this exploit chain, granting attackers the ability to execute commands and download additional malicious modules on compromised systems. ESET researchers revealed that the payload delivery involves a second-stage exploit hosted on redjournal[.]cloud, stringing together the vulnerabilities to ensure successful code execution. The malware utilizes advanced techniques, such as a PE loader implemented via Shellcode Reflective DLL Injection , to maintain stealth and evade detection. Telemetry data from the campaign shows that most victims are located in Europe and North America, suggesting targeted distribution, although the exact method of delivering links to the malicious website remains unclear.
Security Officer Comments:
RomCom, also known as Storm-0978, UNC2596, Void Rabisu, Tropical Scorpius, and UAC-0180, has been active since at least 2022, conducting cybercrime and espionage operations. The actor is known for its ongoing use of the RomCom RAT, an actively maintained malware capable of executing commands, exfiltrating data, and downloading additional tools. This campaign is not the first instance of RomCom exploiting zero-day vulnerabilities; in June 2023, they abused CVE-2023-36884 in Microsoft Word, demonstrating a pattern of leveraging sophisticated exploits. What makes this campaign particularly concerning is the chaining of two zero-day vulnerabilities, which allowed RomCom to execute the attack without requiring any user interaction.
Notably, CVE-2024-49039 was independently reported to Microsoft by Google’s Threat Analysis Group, suggesting that other threat actors may have also been exploiting the flaw as a zero-day.
Suggested Corrections:
IOCs:
https://www.welivesecurity.com/en/e...ts-firefox-and-windows-zero-days-in-the-wild/
Patch Management:
Web Filtering:
Endpoint Protection:
Access Control and Privilege Management:
https://thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html
The Russia-aligned threat actor RomCom has been linked to the exploitation of two critical zero-day vulnerabilities, one in Mozilla Firefox (CVE-2024-9680, CVSS 9.8) and the other in Microsoft Windows (CVE-2024-49039, CVSS 8.8), as part of a sophisticated campaign to deliver their eponymous backdoor malware. The attack begins when victims visit a malicious website, using a vulnerable version of Firefox. The exploit triggers shellcode execution, which escapes the browser’s sandbox by leveraging an embedded library and escalates privileges via the Windows Task Scheduler flaw. The vulnerabilities, patched in October and November 2024, posed significant risks before their disclosure, enabling attackers to execute arbitrary code with no user interaction required.
The RomCom backdoor is deployed through this exploit chain, granting attackers the ability to execute commands and download additional malicious modules on compromised systems. ESET researchers revealed that the payload delivery involves a second-stage exploit hosted on redjournal[.]cloud, stringing together the vulnerabilities to ensure successful code execution. The malware utilizes advanced techniques, such as a PE loader implemented via Shellcode Reflective DLL Injection , to maintain stealth and evade detection. Telemetry data from the campaign shows that most victims are located in Europe and North America, suggesting targeted distribution, although the exact method of delivering links to the malicious website remains unclear.
Security Officer Comments:
RomCom, also known as Storm-0978, UNC2596, Void Rabisu, Tropical Scorpius, and UAC-0180, has been active since at least 2022, conducting cybercrime and espionage operations. The actor is known for its ongoing use of the RomCom RAT, an actively maintained malware capable of executing commands, exfiltrating data, and downloading additional tools. This campaign is not the first instance of RomCom exploiting zero-day vulnerabilities; in June 2023, they abused CVE-2023-36884 in Microsoft Word, demonstrating a pattern of leveraging sophisticated exploits. What makes this campaign particularly concerning is the chaining of two zero-day vulnerabilities, which allowed RomCom to execute the attack without requiring any user interaction.
Notably, CVE-2024-49039 was independently reported to Microsoft by Google’s Threat Analysis Group, suggesting that other threat actors may have also been exploiting the flaw as a zero-day.
Suggested Corrections:
IOCs:
https://www.welivesecurity.com/en/e...ts-firefox-and-windows-zero-days-in-the-wild/
Patch Management:
- Ensure systems are updated with the latest security patches:
- CVE-2024-9680: Update Firefox to the patched version released in October 2024.
- CVE-2024-49039: Update Windows to the patched version released in November 2024.
- Regularly review and apply security updates across all software.
Web Filtering:
- Block access to malicious domains
- Use DNS filtering solutions to prevent users from visiting known malicious websites.
Endpoint Protection:
- Deploy robust endpoint detection and response (EDR) tools to detect suspicious behavior, such as sandbox escapes or privilege escalation attempts.
- Monitor for unusual processes, such as unauthorized DLL injections or changes in system privilege levels.
- Enable sandboxing and enhanced security features in browsers to reduce the impact of exploitation attempts.
- Restrict scripts and plugins in web browsers to reduce attack surface.
Access Control and Privilege Management:
- Limit administrative privileges to essential users and processes to reduce the impact of privilege escalation vulnerabilities.
- Implement role-based access controls (RBAC) to restrict high-risk operations.
- Isolate sensitive systems and networks from user-facing environments to limit lateral movement by attackers.
- Use firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and restrict unauthorized traffic.
https://thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html