In recent developments, the Russian-based RomCom cybercrime group has successfully leveraged two zero-day vulnerabilities to launch targeted attacks against Firefox and Tor Browser users across Europe and North America.
Exploiting Vulnerabilities
The first vulnerability, identified as CVE-2024-9680, is a use-after-free bug within Firefox’s animation timeline feature. This flaw enables code execution within the web browser’s sandbox environment. Mozilla responded promptly, issuing a patch on October 9, 2024, just a day after ESET brought the issue to light.
The second vulnerability, CVE-2024-49039, pertains to a privilege escalation flaw in the Windows Task Scheduler service. This particular exploit allows attackers to execute code beyond the confines of the Firefox sandbox. Microsoft addressed this security concern earlier this month, on November 12.
RomCom ingeniously combined these two vulnerabilities into a zero-day chain exploit, facilitating remote code execution without necessitating any user interaction. Victims merely needed to visit a maliciously crafted website controlled by the attackers, which would subsequently download and execute the RomCom backdoor onto their systems.
According to ESET’s analysis, the attackers also specifically targeted Tor Browser users, particularly those utilizing versions 12 and 13, as indicated by the name of one of the JavaScript exploits employed in the attacks, main-tor.js.
ESET researcher Damien Schaeffer elaborated on the attack mechanism: “The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit. Should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor.” He noted that while the distribution method for the fake website remains unclear, accessing the page through a vulnerable browser results in a payload being dropped and executed on the victim’s computer without any user interaction.
Once the malware is installed on a victim’s device, it grants attackers the ability to execute commands and deploy additional payloads, enhancing their control over the compromised system.
ESET emphasized the sophistication of this attack, stating, “Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities.”
The scale of the campaign appears to be significant, with ESET estimating the number of successful exploitation attempts that resulted in the RomCom backdoor being deployed on victims’ devices. The potential targets range from a single victim per country to as many as 250, according to ESET telemetry.
This is not the first instance of RomCom exploiting a zero-day vulnerability; in July 2023, the group took advantage of a zero-day (CVE-2023-36884) affecting multiple Windows and Office products to target organizations attending the NATO Summit in Vilnius, Lithuania.
RomCom, also known by various aliases such as Storm-0978, Tropical Scorpius, or UNC2596, has been associated with financially motivated campaigns, orchestrating ransomware and extortion attacks, as well as credential theft, likely to support intelligence operations.
Furthermore, the group has been linked to the Industrial Spy ransomware operation, which has since transitioned to Underground ransomware. Currently, ESET reports that RomCom is actively targeting organizations in Ukraine, Europe, and North America for espionage attacks across diverse sectors, including government, defense, energy, pharmaceuticals, and insurance.
