RomCom Cyberattacks Exploit Firefox and Windows Flaws
RomCom Threat Actor Exploits Zero-Day Vulnerabilities in Firefox and Windows
Recent cybersecurity reports have revealed that the Russia-aligned threat actor known as RomCom has successfully exploited two critical zero-day vulnerabilities in popular software applications: Mozilla Firefox and Microsoft Windows. These security flaws are part of a coordinated attack aimed at deploying the notorious RomCom Remote Access Trojan (RAT) on compromised systems.
Understanding the Vulnerabilities
The vulnerabilities identified in this latest campaign are as follows:
-
CVE-2024-9680 (CVSS score: 9.8)
A dangerous use-after-free vulnerability in Firefox’s Animation component. This flaw was patched by Mozilla in October 2024. - CVE-2024-49039 (CVSS score: 8.8)
A privilege escalation vulnerability found in Windows Task Scheduler, which was fixed by Microsoft in November 2024.
RomCom, also referred to as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has been active in cybercrime and espionage since at least 2022. The group is known for deploying RomCom RAT, a sophisticated malware capable of executing commands and downloading additional malicious modules onto victim machines.
Attack Methodology
The attack chain identified by Slovak cybersecurity firm ESET involved the use of a fraudulent website (economistjournal[.]cloud) that redirects potential victims to a server (redjournal[.]cloud) hosting the malicious payload. This payload exploits both vulnerabilities to achieve code execution and install the RomCom RAT.
Key attack details include:
- The exploit is triggered when users with vulnerable versions of Firefox visit the malicious site.
- A two-part shellcode is executed, which retrieves additional components from memory and marks pages as executable.
- The final outcome is a successful sandbox escape for Firefox, leading to the download and execution of RomCom RAT.
ESET’s telemetry data indicates that many victims of this exploit were located in Europe and North America.
Implications of the Exploits
Notably, both vulnerabilities were independently discovered and reported to Microsoft by Google’s Threat Analysis Group (TAG), suggesting that multiple threat actors may be attempting to exploit these zero-day vulnerabilities. This marks the second instance of RomCom being caught leveraging a zero-day vulnerability in the wild, following its exploitation of CVE-2023-36884 via Microsoft Word in June 2023.
ESET commented on the sophistication of the attack, stating, "Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction." This level of technical prowess highlights the threat actor’s capability and intent to develop stealthy attack methods.
Conclusion
The exploitation of these zero-day vulnerabilities by RomCom underscores the urgent need for users and organizations to maintain updated software and remain vigilant against potential cybersecurity threats. For more information on cybersecurity best practices, consider reading our related articles on securing your systems.
If you found this information valuable, please share your thoughts in the comments below or follow us on Twitter and LinkedIn for more exclusive content!