A Russia-linked APT (advanced persistent threat) group has been exploiting two recent zero-day vulnerabilities in Firefox and Windows to deploy a backdoor on victims’ machines, according to a report by ESET.
Hacking Group Activities
The hacking group, tracked under various names including RomCom, Storm-0978, Tropical Scorpius, and UNC2596, has been engaging in both espionage and cybercrime campaigns across various sectors.
Exploited Zero-Day Vulnerabilities
Following the exploitation of a Microsoft Office zero-day vulnerability last year, RomCom was recently caught exploiting two new zero-days:
- CVE-2024-9680: A critical-severity flaw affecting Firefox, Thunderbird, and the Tor browser.
- CVE-2024-49039: A high-severity Windows Task Scheduler vulnerability.
Attack Methodology
In these attacks, if a victim visits a web page containing the exploit, the adversary can run arbitrary code without any user interaction, leading to the installation of RomCom’s backdoor. ESET reports that most potential victims were located in North America and Europe, based on data collected between October 10 and November 4, 2024.
Vulnerability Patching
CVE-2024-9680, a use-after-free issue, was patched on October 9 with Firefox version 131.0.2. Microsoft patched CVE-2024-49039 on November 12, which could allow attackers to elevate privileges and execute code from a low privilege AppContainer.
Exploit Chain
RomCom’s exploit chain relied on a fake website that redirected to an exploit, executing shellcode to fetch and run the backdoor without user interaction. The victim was then redirected to a legitimate site to avoid suspicion.
Technical Details
The shellcode loaded an embedded library to escape Firefox’s sandboxed content process. The malicious library created a scheduled task to run an arbitrary application at medium integrity level, allowing attackers to elevate privileges and break out of the sandbox.
Threat Actor Analysis
ESET’s analysis revealed that the files used to deliver the RomCom backdoor were created on October 3. The threat actor may have known about the exploit earlier. ESET reported the Firefox zero-day to Mozilla on October 8, leading to Mozilla notifying Microsoft of the related Windows security defect.
Background
RomCom, likely working for the Russian government, was previously associated with the Cuba ransomware. In 2024, the group targeted entities in the US and Europe, including government, defense, and energy organizations for espionage, as well as pharmaceutical, legal, and insurance companies for cybercrime operations.
ESET’s Conclusion
“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities,” ESET notes.
