Firefox and Windows zero-days exploited by Russian RomCom hackers

​Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America.

The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it.

The second zero-day exploited in this campaign is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox and Tor Browser sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12.

RomCom abused the two vulnerabilities as a zero-day chain exploit, which helped them gain remote code execution without requiring user interaction.

Their targets only had to visit an attacker-controlled and maliciously crafted website that downloaded and executed the RomCom backdoor on their system.

"The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor," said ESET researcher Damien Schaeffer.

"While we don't know how the link to the fake website is distributed, however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim's computer with no user interaction required."

Once deployed on a victim's device, this malware enabled the attackers to run commands and deploy additional payloads.

While investigating this campaign, ESET found that the Russian threat actors focused their attacks on organizations in Ukraine, Europe, and North America from various industries affected, including government, defense, energy, pharmaceuticals, and insurance.

"Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophisEcaEon shows the threat actor's will and means to obtain or develop stealthy capabilities," ESET researchers added.

"Furthermore, successful exploitation attempts delivered the RomCom backdoor in what looks like a widespread campaign."

This isn't the first time RomCom has exploited a zero-day in its attacks. In July 2023, its operators exploited a zero-day (CVE-2023-36884) in multiple Windows and Office products to attack organizations attending the NATO Summit in Vilnius, Lithuania.

RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) has been linked to financially motivated campaigns and orchestrated ransomware and extortion attacks alongside credential theft (likely aimed at supporting intelligence operations).

The threat group was also linked to the Industrial Spy ransomware operation, which has since switched to Underground ransomware.

According to ESET, more recently, RomCom has shifted to targeted espionage attacks against European and Ukrainian governments, as well as energy and defense entities in Ukraine.