In a new wave of cyberattacks, the Russia-aligned hacking group “RomCom” has been found exploiting critical zero-day vulnerabilities in Microsoft Windows and Mozilla Firefox products.
Security researchers at ESET uncovered the alarming attack chain, which uses the vulnerabilities to deploy the RomCom backdoor without requiring any user interaction.
“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor”.
The campaign has highlighted the increasing sophistication of cyber espionage efforts targeting key industries and government entities worldwide..
Dual Zero-Day Exploit Chain
The attack chain leverages two previously unknown vulnerabilities:
CVE-2024-9680: A critical vulnerability in Mozilla products, including Firefox, Thunderbird, and the Tor Browser, scoring 9.8 on the CVSS scale. This “use-after-free” bug in the animation timeline feature allows arbitrary code execution within the limited context of the browser.
CVE-2024-49039: A privilege escalation vulnerability in Microsoft Windows, rated 8.8 on the CVSS scale. This flaw enables attackers to escape Firefox’s sandbox restrictions and execute code with the same privileges as the logged-in user.
When combined, these vulnerabilities allow attackers to execute malicious code on a victim’s machine without any user interaction.
The attack requires only that the victim visit a maliciously crafted webpage. Once the exploit succeeds, the RomCom backdoor is installed on the system, enabling further actions, such as executing commands or downloading additional malware modules.
The vulnerabilities were disclosed and patched following a swift response from Mozilla and Microsoft:
- October 8, 2024: ESET researchers discovered the Firefox zero-day and immediately reported it to Mozilla.
- October 9, 2024: Mozilla issued a patch for the vulnerability within 25 hours, releasing Security Advisory 2024-51 and updates for Firefox, Thunderbird, Tails, and the Tor Browser.
- October 14, 2024: Mozilla identified that the sandbox escape was linked to a Windows vulnerability, forwarding the issue to Microsoft.
- November 12, 2024: Microsoft patched the Windows zero-day via update KB5046612.
ESET praised Mozilla’s responsiveness, describing its 25-hour turnaround as “impressive compared to industry standards.”
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
RomCom: Espionage Meets Cybercrime
RomCom, also known as Tropical Scorpius or UNC2596, has a history of opportunistic and targeted campaigns. While known for conventional cybercrime operations, the group has increasingly shifted toward espionage, targeting industries and government entities in Ukraine, Europe, and the United States.
Notable targets in 2024 include:
- Government entities in Ukraine and Europe (espionage)
- The pharmaceutical and legal sectors in the United States and Germany (cybercrime)
- The energy and defense sectors in Ukraine (espionage)
The RomCom backdoor deployed in these campaigns enables attackers to execute remote commands and further compromise victim networks.
The attack chain begins with a fake website hosting the exploit. Victims are redirected to the malicious webpage, which triggers the vulnerabilities if they are using unpatched browsers.
A carefully crafted payload is then executed, delivering the RomCom backdoor. To avoid detection, the site redirects victims to legitimate websites after the exploit runs.
The JavaScript-based exploit manipulates Firefox’s animation timeline feature, causing a use-after-free bug to hijack the browser’s JIT (Just-In-Time) compiler. This technique executes a shellcode loader that downloads and runs the backdoor.
After escaping Firefox’s sandbox, attackers use an undocumented Windows RPC endpoint to escalate privileges. This component launches a hidden PowerShell process, which downloads additional malware for deeper system compromise.
Mitigation and Recommendations
Both vulnerabilities have been patched, and users are strongly urged to update their software to the latest versions:
- Mozilla Products: Firefox 131.0.2, Firefox ESR 128.3.1, Thunderbird 115.16+, and Tor Browser 13.5.7.
- Microsoft Windows: November 2024 cumulative update (KB5046612).
Organizations and users should also implement the following measures:
- Apply Security Updates: Ensure all software, especially browsers and operating systems, is up to date.
- Use Security Software: Deploy reputable endpoint detection and response (EDR) solutions to identify and block malicious activities.
- Enable Sandboxing: Use additional sandboxing tools to limit the damage caused by potential exploits.
- Monitor Network Activity: Look for suspicious outbound connections that may indicate command-and-control communications.
The discovery of these sophisticated attacks underscores the rising threat of advanced persistent threat (APT) actors leveraging zero-day vulnerabilities for both espionage and cybercrime.
RomCom’s ability to chain two zero-day exploits demonstrates its technical expertise and determination to infiltrate high-value targets.
By rapidly addressing these vulnerabilities, Mozilla and Microsoft have minimized the risk of further exploitation, but the incident serves as a critical reminder of the importance of proactive cybersecurity measures.
For organizations, vigilance is key. Emerging threats demand constant awareness, swift action, and a robust cybersecurity strategy to defend against increasingly sophisticated adversaries like RomCom.
Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.