26 November 2024

Hackers exploit Firefox and Windows zero days to deliver RomCom backoor


Hackers exploit Firefox and Windows zero days to deliver RomCom backoor

A Russia-linked threat actor has been exploiting two recently patched zero-days affecting Mozilla products to deliver the RomCom backdoor. Previously, the group was caught abusing another zero-day flaw (CVE-2023-36884) impacting Microsoft Word.

RomCom, also known by aliases Storm-0978, Tropical Scorpius, and UNC2596, is a hybrid threat actor conducting both espionage and cybercrime operations. The group is engaged in espionage but also cybercrime operations. Throughout 2024 the threat actor was seen targeting government, energy, and defense sectors in Ukraine (espionage), pharmaceutical and insurance sectors in the US (cybercrime), legal sector in Germany (cybercrime), as well government entities in Europe (espionage).

In the most recent campaign the RomCom threat actor used CVE-2024-9680, a use-after-free flaw in Mozilla Firefox, Thunderbird, and the Tor Browser, allowing malicious actors to execute code within the browser's restricted context. When chained with another previously unknown Windows vulnerability (CVE-2024-49039), attackers can escalate their control, executing arbitrary code in the context of the logged-in user without requiring any user interaction.

ESET’s research revealed that the attack chain begins with a fake website designed to redirect users to an exploit server. If the victim is using a vulnerable browser, the exploit triggers without requiring any interaction, dropping and executing the RomCom backdoor.

As part of the exploitation process, JavaScript redirects are used to exploit CVE-2024-9680 and execute shellcode in a browser process. The shellcode consists of two stages, with the second stage implementing a PE loader based on the open-source Shellcode Reflective DLL Injection (RDI).

The attack includes a sandbox escape for Firefox, enabling further compromise and installation of the backdoor. The RomCom backdoor grants attackers the ability to execute commands, exfiltrate data, and deploy additional malicious modules.

Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024