A Russia-linked threat actor has been exploiting two recently patched zero-days affecting Mozilla products to deliver the RomCom backdoor. Previously, the group was caught abusing another zero-day flaw (CVE-2023-36884) impacting Microsoft Word.
RomCom, also known by aliases Storm-0978, Tropical Scorpius, and UNC2596, is a hybrid threat actor conducting both espionage and cybercrime operations. The group is engaged in espionage but also cybercrime operations. Throughout 2024 the threat actor was seen targeting government, energy, and defense sectors in Ukraine (espionage), pharmaceutical and insurance sectors in the US (cybercrime), legal sector in Germany (cybercrime), as well government entities in Europe (espionage).
In the most recent campaign the RomCom threat actor used CVE-2024-9680, a use-after-free flaw in Mozilla Firefox, Thunderbird, and the Tor Browser, allowing malicious actors to execute code within the browser's restricted context. When chained with another previously unknown Windows vulnerability (CVE-2024-49039), attackers can escalate their control, executing arbitrary code in the context of the logged-in user without requiring any user interaction.
ESET’s research revealed that the attack chain begins with a fake website designed to redirect users to an exploit server. If the victim is using a vulnerable browser, the exploit triggers without requiring any interaction, dropping and executing the RomCom backdoor.
As part of the exploitation process, JavaScript redirects are used to exploit CVE-2024-9680 and execute shellcode in a browser process. The shellcode consists of two stages, with the second stage implementing a PE loader based on the open-source Shellcode Reflective DLL Injection (RDI).
The attack includes a sandbox escape for Firefox, enabling further compromise and installation of the backdoor. The RomCom backdoor grants attackers the ability to execute commands, exfiltrate data, and deploy additional malicious modules.