The Russia-aligned menace actor often known as RomCom has been linked to the zero-day exploitation of two safety flaws, one in Mozilla Firefox and the opposite in Microsoft Home windows, as a part of assaults designed to ship the eponymous backdoor on sufferer techniques.
“In a profitable assault, if a sufferer browses an internet web page containing the exploit, an adversary can run arbitrary code – with none person interplay required (zero click on) – which on this case led to the set up of RomCom’s backdoor on the sufferer’s pc,” ESET stated in a report shared with The Hacker Information.
The vulnerabilities in query are listed beneath –
- CVE-2024-9680 (CVSS rating: 9.8) – A use-after-free vulnerability in Firefox’s Animation part (Patched by Mozilla in October 2024)
- CVE-2024-49039 (CVSS rating: 8.8) – A privilege escalation vulnerability in Home windows Process Scheduler (Patched by Microsoft in November 2024)
RomCom, often known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a observe report of conducting each cybercrime and espionage operations since at the very least 2022.
These assaults are notable for the deployment of RomCom RAT, an actively maintained malware that is able to executing instructions and downloading extra modules to the sufferer’s machine.
The assault chain found by Slovak cybersecurity firm concerned using a faux web site (economistjournal[.]cloud) that is chargeable for redirecting potential victims to a server (redjournal[.]cloud) internet hosting the malicious payload that, in flip, strings collectively each the failings to realize code execution and drop the RomCom RAT.
It is at the moment not recognized how hyperlinks to the faux web site are distributed, but it surely has been discovered that the exploit is triggered ought to the positioning be visited from a weak model of the Firefox browser.
“If a sufferer utilizing a weak browser visits an internet web page serving this exploit, the vulnerability is triggered and shellcode is executed in a content material course of,” ESET defined.
“The shellcode consists of two elements: the primary retrieves the second from reminiscence and marks the containing pages as executable, whereas the second implements a PE loader based mostly on the open-source mission Shellcode Reflective DLL Injection (RDI).”
The result’s a sandbox escape for Firefox that finally results in the obtain and execution of RomCom RAT on the compromised system. That is completed by the use of an embedded library (“PocLowIL”) that is designed to interrupt out of the browser’s sandboxed content material course of by weaponizing the Home windows Process Scheduler flaw to acquire elevated privileges.
Telemetry knowledge gathered by ESET exhibits {that a} majority of the victims who visited the exploit-hosting web site have been situated in Europe and North America.
The truth that CVE-2024-49039 was independently additionally found and reported to Microsoft by Google’s Menace Evaluation Group (TAG) means that a couple of menace actor could have been exploiting it as a zero-day.
It is also value noting that that is the second time that RomCom has been caught exploiting a zero-day vulnerability within the wild, after the abuse of CVE-2023-36884 by way of Microsoft Phrase in June 2023.
“Chaining collectively two zero-day vulnerabilities armed RomCom with an exploit that requires no person interplay,” ESET stated. “This stage of sophistication exhibits the menace actor’s will and means to acquire or develop stealthy capabilities.”
