The Russia-aligned risk actor often called RomCom has been linked to the zero-day exploitation of two safety flaws, one in Mozilla Firefox and the opposite in Microsoft Home windows, as a part of assaults designed to ship the eponymous backdoor on sufferer techniques.
“In a profitable assault, if a sufferer browses an online web page containing the exploit, an adversary can run arbitrary code – with none consumer interplay required (zero click on) – which on this case led to the set up of RomCom’s backdoor on the sufferer’s pc,” ESET stated in a report shared with The Hacker Information.
The vulnerabilities in query are listed beneath –
- CVE-2024-9680 (CVSS rating: 9.8) – A use-after-free vulnerability in Firefox’s Animation element (Patched by Mozilla in October 2024)
- CVE-2024-49039 (CVSS rating: 8.8) – A privilege escalation vulnerability in Home windows Process Scheduler (Patched by Microsoft in November 2024)
RomCom, often known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a observe report of conducting each cybercrime and espionage operations since a minimum of 2022.
These assaults are notable for the deployment of RomCom RAT, an actively maintained malware that is able to executing instructions and downloading extra modules to the sufferer’s machine.
The assault chain found by Slovak cybersecurity firm concerned the usage of a faux web site (economistjournal[.]cloud) that is liable for redirecting potential victims to a server (redjournal[.]cloud) internet hosting the malicious payload that, in flip, strings collectively each the failings to attain code execution and drop the RomCom RAT.
It is presently not recognized how hyperlinks to the faux web site are distributed, however it has been discovered that the exploit is triggered ought to the positioning be visited from a susceptible model of the Firefox browser.
“If a sufferer utilizing a susceptible browser visits an online web page serving this exploit, the vulnerability is triggered and shellcode is executed in a content material course of,” ESET defined.
“The shellcode consists of two components: the primary retrieves the second from reminiscence and marks the containing pages as executable, whereas the second implements a PE loader based mostly on the open-source challenge Shellcode Reflective DLL Injection (RDI).”
The result’s a sandbox escape for Firefox that in the end results in the obtain and execution of RomCom RAT on the compromised system. That is achieved by way of an embedded library (“PocLowIL”) that is designed to interrupt out of the browser’s sandboxed content material course of by weaponizing the Home windows Process Scheduler flaw to acquire elevated privileges.
Telemetry information gathered by ESET reveals {that a} majority of the victims who visited the exploit-hosting web site had been positioned in Europe and North America.
The truth that CVE-2024-49039 was independently additionally found and reported to Microsoft by Google’s Risk Evaluation Group (TAG) means that a couple of risk actor could have been exploiting it as a zero-day.
It is also value noting that that is the second time that RomCom has been caught exploiting a zero-day vulnerability within the wild, after the abuse of CVE-2023-36884 by way of Microsoft Phrase in June 2023.
“Chaining collectively two zero-day vulnerabilities armed RomCom with an exploit that requires no consumer interplay,” ESET stated. “This degree of sophistication reveals the risk actor’s will and means to acquire or develop stealthy capabilities.”