The Russia-aligned menace actor referred to as RomCom has been linked to the zero-day exploitation of two safety flaws, one in Mozilla Firefox and the opposite in Microsoft Home windows, as a part of assaults designed to ship the eponymous backdoor on sufferer techniques.
“In a profitable assault, if a sufferer browses an online web page containing the exploit, an adversary can run arbitrary code – with none person interplay required (zero click on) – which on this case led to the set up of RomCom’s backdoor on the sufferer’s laptop,” ESET mentioned in a report shared with The Hacker Information.
The vulnerabilities in query are listed beneath –
- CVE-2024-9680 (CVSS rating: 9.8) – A use-after-free vulnerability in Firefox’s Animation part (Patched by Mozilla in October 2024)
- CVE-2024-49039 (CVSS rating: 8.8) – A privilege escalation vulnerability in Home windows Activity Scheduler (Patched by Microsoft in November 2024)
RomCom, also referred to as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a monitor file of conducting each cybercrime and espionage operations since no less than 2022.
These assaults are notable for the deployment of RomCom RAT, an actively maintained malware that is able to executing instructions and downloading further modules to the sufferer’s machine.
The assault chain found by Slovak cybersecurity firm concerned the usage of a faux web site (economistjournal[.]cloud) that is accountable for redirecting potential victims to a server (redjournal[.]cloud) internet hosting the malicious payload that, in flip, strings collectively each the failings to realize code execution and drop the RomCom RAT.
It is at present not recognized how hyperlinks to the faux web site are distributed, nevertheless it has been discovered that the exploit is triggered ought to the location be visited from a weak model of the Firefox browser.
“If a sufferer utilizing a weak browser visits an online web page serving this exploit, the vulnerability is triggered and shellcode is executed in a content material course of,” ESET defined.
“The shellcode consists of two elements: the primary retrieves the second from reminiscence and marks the containing pages as executable, whereas the second implements a PE loader based mostly on the open-source challenge Shellcode Reflective DLL Injection (RDI).”
The result’s a sandbox escape for Firefox that finally results in the obtain and execution of RomCom RAT on the compromised system. That is achieved by way of an embedded library (“PocLowIL”) that is designed to interrupt out of the browser’s sandboxed content material course of by weaponizing the Home windows Activity Scheduler flaw to acquire elevated privileges.
Telemetry knowledge gathered by ESET reveals {that a} majority of the victims who visited the exploit-hosting website had been positioned in Europe and North America.
The truth that CVE-2024-49039 was independently additionally found and reported to Microsoft by Google’s Risk Evaluation Group (TAG) means that a couple of menace actor might have been exploiting it as a zero-day.
It is also price noting that that is the second time that RomCom has been caught exploiting a zero-day vulnerability within the wild, after the abuse of CVE-2023-36884 by way of Microsoft Phrase in June 2023.
“Chaining collectively two zero-day vulnerabilities armed RomCom with an exploit that requires no person interplay,” ESET mentioned. “This degree of sophistication reveals the menace actor’s will and means to acquire or develop stealthy capabilities.”