RomCom hackers chained Firefox and Windows zero-days to deliver backdoor
Russia-aligned APT group RomCom was behind attacks that leveraged CVE-2024-9680, a remote code execution flaw in Firefox, and CVE-2024-49039, an elevation of privilege vulnerability in Windows Task Scheduler, as zero-days earlier this year.
“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction,” ESET researchers said.
The campaign leveraging the zero-click exploit
CVE-2024-9680 allowed the attackers to execute code in the restricted context of the browser and CVE-2024-49039 allowed it to run outside Firefox’s sandbox, and it all happened without the victims interacting with the websites in any way.
Exploit chain to compromise the victim (Source: ESET)
ESET researcher Damien Schaeffer, who discovered both vulnerabilities, said that the compromise chain was composed of a fake website that redirects the potential victim to the server hosting the zero-click exploit and, if the exploit was triggered, – shellcode that downloads and executes the RomCom backdoor is executed.
He also shared that they don’t know how the link to the fake website was distributed.
“According to our telemetry, from October 10, 2024 to November 4th, 2024, potential victims who visited websites hosting the exploit were located mainly in Europe and North America,” ESET shared, and noted that the campaign seems to have been widespread.
RomCom’s backdoor is capable of executing commands and downloading additional modules on the victims’ computer.
“This level of sophistication demonstrates the threat actor’s intent and means to obtain or develop stealthy capabilities,” the company added.
Schaeffer discovered the Firefox vulnerability on October 8 and immediately reported it to Mozilla, which shipped the fix for Firefox and Firefox ESR within 25 hours. Two days later, a fix for Mozilla’s Thunderbird email client was also pushed out, but the company noted that vulnerabilities like CVE-2024-9680 “cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail.”
Soon after, the Tor Project fixed CVE-2024-9680 in various versions of the Tor Browser and Tails operating system, which uses a modified version of Tor Browser.
Microsoft released a fix for CVE-2024-49039 on November 12.
ESET has released a root cause analysis of the two vulnerabilities, a technical analysis of the shellcode, and indicators of compromise related to this campaign.
About RomCom
RomCom (aka Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned threat actor that engages in both opportunistic campaigns against selected business verticals and targeted espionage operations.
“This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023,” the company shared.
“In 2024, ESET discovered cyberespionage and cybercrime operations of RomCom against governmental entities, defense, and energy sectors in Ukraine, the pharmaceutical and insurance sectors in the US; the legal sector in Germany; and governmental entities in Europe.”