The RomCom threat group exploits vulnerabilities in Firefox and Windows to deliver advanced malware attacks targeting victims.

422/67 Wednesday, November 27, 2024

The Russian state-sponsored cyber threat group RomCom has been discovered exploiting critical vulnerabilities in Mozilla Firefox and Microsoft Windows to attack victim systems with a backdoor malware of the same name. These attacks leverage vulnerabilities that enable the execution of malicious code without user interaction. The operation involves two major vulnerabilities:

  • CVE-2024-9680 (CVSS score: 9.8): A vulnerability in Firefox’s Animation component, patched in October 2024.
  • CVE-2024-49039 (CVSS score: 8.8): A flaw in Windows Task Scheduler allowing attackers to escalate privileges, resolved by Microsoft in November 2024.

These vulnerabilities are exploited together, with the Firefox flaw bypassing sandbox protections and the Windows Task Scheduler flaw enabling privilege escalation. According to ESET, the RomCom group used fake websites resembling legitimate sources, such as “economistjournal[.]cloud,” to lure victims. When users with vulnerable Firefox versions visit these sites, they are redirected to a server hosting malware payloads. The attack follows a complex sequence:

  1. Visiting the malicious site triggers shellcode execution on the victim’s system.
  2. The shellcode consists of two components: one for data retrieval and another for payload execution.
  3. The RomCom RAT malware is downloaded and installed, allowing remote command execution and additional module downloads.

ESET reports that RomCom’s attacks primarily target victims in Europe and North America, focusing on organizations and entities that may hold critical information. Additionally, the CVE-2024-49039 vulnerability was discovered and reported by Google’s Threat Analysis Group (TAG), indicating other threat actors may also be exploiting it. This is RomCom’s second use of zero-day vulnerabilities, following their exploitation of CVE-2023-36884 via Microsoft Word in June 2023.

Source https://thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html