The Russia-aligned risk actor often known as RomCom has been linked to the zero-day exploitation of two safety flaws, one in Mozilla Firefox and the opposite in Microsoft Home windows, as a part of assaults designed to ship the eponymous backdoor on sufferer methods.
“In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required (zero click) – which in this case led to the installation of RomCom’s backdoor on the victim’s computer,” ESET mentioned in a report shared with The Hacker Information.
The vulnerabilities in query are listed under –
- CVE-2024-9680 (CVSS rating: 9.8) – A use-after-free vulnerability in Firefox’s Animation part (Patched by Mozilla in October 2024)
- CVE-2024-49039 (CVSS rating: 8.8) – A privilege escalation vulnerability in Home windows Job Scheduler (Patched by Microsoft in November 2024)
RomCom, often known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a observe file of conducting each cybercrime and espionage operations since a minimum of 2022.
These assaults are notable for the deployment of RomCom RAT, an actively maintained malware that is able to executing instructions and downloading extra modules to the sufferer’s machine.
The assault chain found by Slovak cybersecurity firm concerned using a pretend web site (economistjournal[.]cloud) that is chargeable for redirecting potential victims to a server (redjournal[.]cloud) internet hosting the malicious payload that, in flip, strings collectively each the issues to realize code execution and drop the RomCom RAT.
It is at present not identified how hyperlinks to the pretend web site are distributed, nevertheless it has been discovered that the exploit is triggered ought to the positioning be visited from a weak model of the Firefox browser.
“If a victim using a vulnerable browser visits a web page serving this exploit, the vulnerability is triggered and shellcode is executed in a content process,” ESET defined.
“The shellcode is composed of two parts: the first retrieves the second from memory and marks the containing pages as executable, while the second implements a PE loader based on the open-source project Shellcode Reflective DLL Injection (RDI).”
The result’s a sandbox escape for Firefox that finally results in the obtain and execution of RomCom RAT on the compromised system. That is completed by way of an embedded library (“PocLowIL”) that is designed to interrupt out of the browser’s sandboxed content material course of by weaponizing the Home windows Job Scheduler flaw to acquire elevated privileges.
Telemetry information gathered by ESET exhibits {that a} majority of the victims who visited the exploit-hosting web site have been positioned in Europe and North America.
The truth that CVE-2024-49039 was independently additionally found and reported to Microsoft by Google’s Menace Evaluation Group (TAG) means that multiple risk actor could have been exploiting it as a zero-day.
It is also price noting that that is the second time that RomCom has been caught exploiting a zero-day vulnerability within the wild, after the abuse of CVE-2023-36884 by way of Microsoft Phrase in June 2023.
“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction,” ESET mentioned. “This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities.”
