The Russia-aligned risk actor often called RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the opposite in Microsoft Home windows, as a part of assaults designed to ship the eponymous backdoor on sufferer programs.
“In a profitable assault, if a sufferer browses an internet web page containing the exploit, an adversary can run arbitrary code – with none consumer interplay required (zero click on) – which on this case led to the set up of RomCom’s backdoor on the sufferer’s pc,” ESET mentioned in a report shared with The Hacker Information.
The vulnerabilities in query are listed beneath –
- CVE-2024-9680 (CVSS rating: 9.8) – A use-after-free vulnerability in Firefox’s Animation part (Patched by Mozilla in October 2024)
- CVE-2024-49039 (CVSS rating: 8.8) – A privilege escalation vulnerability in Home windows Process Scheduler (Patched by Microsoft in November 2024)
RomCom, often known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a monitor file of conducting each cybercrime and espionage operations since a minimum of 2022.
These assaults are notable for the deployment of RomCom RAT, an actively maintained malware that is able to executing instructions and downloading further modules to the sufferer’s machine.
The assault chain found by Slovak cybersecurity firm concerned using a pretend web site (economistjournal[.]cloud) that is chargeable for redirecting potential victims to a server (redjournal[.]cloud) internet hosting the malicious payload that, in flip, strings collectively each the failings to attain code execution and drop the RomCom RAT.
It is at the moment not recognized how hyperlinks to the pretend web site are distributed, but it surely has been discovered that the exploit is triggered ought to the location be visited from a weak model of the Firefox browser.
“If a sufferer utilizing a weak browser visits an internet web page serving this exploit, the vulnerability is triggered and shellcode is executed in a content material course of,” ESET defined.
“The shellcode consists of two components: the primary retrieves the second from reminiscence and marks the containing pages as executable, whereas the second implements a PE loader based mostly on the open-source challenge Shellcode Reflective DLL Injection (RDI).”
The result’s a sandbox escape for Firefox that in the end results in the obtain and execution of RomCom RAT on the compromised system. That is achieved via an embedded library (“PocLowIL”) that is designed to interrupt out of the browser’s sandboxed content material course of by weaponizing the Home windows Process Scheduler flaw to acquire elevated privileges.
Telemetry information gathered by ESET exhibits {that a} majority of the victims who visited the exploit-hosting website had been situated in Europe and North America.
The truth that CVE-2024-49039 was independently additionally found and reported to Microsoft by Google’s Risk Evaluation Group (TAG) means that multiple risk actor could have been exploiting it as a zero-day.
It is also price noting that that is the second time that RomCom has been caught exploiting a zero-day vulnerability within the wild, after the abuse of CVE-2023-36884 by way of Microsoft Phrase in June 2023.
“Chaining collectively two zero-day vulnerabilities armed RomCom with an exploit that requires no consumer interplay,” ESET mentioned. “This degree of sophistication exhibits the risk actor’s will and means to acquire or develop stealthy capabilities.”
