RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems.

"In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required (zero click) – which in this case led to the installation of RomCom's backdoor on the victim's computer," ESET said in a report shared with The Hacker News.

The vulnerabilities in question are listed below -

• CVE-2024-9680 (CVSS score: 9.8) - A use-after-free vulnerability in Firefox's Animation component (Patched by Mozilla in October 2024)
• CVE-2024-49039 (CVSS score: 8.8) - A privilege escalation vulnerability in Windows Task Scheduler (Patched by Microsoft in November 2024)

RomCom, also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a track record of conducting both cybercrime and espionage operations since at least 2022.

These attacks are notable for the deployment of RomCom RAT, an actively maintained malware that's capable of executing commands and downloading additional modules to the victim's machine.

The attack chain discovered by Slovak cybersecurity company involved the use of a fake website (economistjournal[.]cloud) that's responsible for redirecting prospective victims to a server (redjournal[.]cloud) hosting the malicious payload that, in turn, strings together both the flaws to achieve code execution and drop the RomCom RAT.

It's currently not known how links to the fake website are distributed, but it has been found that the exploit is triggered should the site be visited from a vulnerable version of the Firefox browser.

"If a victim using a vulnerable browser visits a web page serving this exploit, the vulnerability is triggered and shellcode is executed in a content process," ESET explained.

"The shellcode is composed of two parts: the first retrieves the second from memory and marks the containing pages as executable, while the second implements a PE loader based on the open-source project Shellcode Reflective DLL Injection (RDI)."

The result is a sandbox escape for Firefox that ultimately leads to the download and execution of RomCom RAT on the compromised system. This is accomplished by means of an embedded library ("PocLowIL") that's designed to break out of the browser's sandboxed content process by weaponizing the Windows Task Scheduler flaw to obtain elevated privileges.

Telemetry data gathered by ESET shows that a majority of the victims who visited the exploit-hosting site were located in Europe and North America.

The fact that CVE-2024-49039 was independently also discovered and reported to Microsoft by Google's Threat Analysis Group (TAG) suggests that more than one threat actor may have been exploiting it as a zero-day.

It's also worth noting that this is the second time that RomCom has been caught exploiting a zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023.

"Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction," ESET said. "This level of sophistication shows the threat actor's will and means to obtain or develop stealthy capabilities."