ESET researchers have recently unveiled a critical vulnerability in Mozilla products, specifically exploited by the Russia-aligned group known as RomCom. This discovery marks the second instance where RomCom has been linked to the exploitation of a significant zero-day vulnerability, following their earlier use of CVE-2023-36884 via Microsoft Word in June 2023.
The newly identified vulnerability, designated CVE-2024-9680 and carrying a CVSS score of 9.8, affects various versions of Firefox, Thunderbird, and the Tor Browser. It allows for code execution within the restricted context of the browser. When combined with another previously unidentified Windows vulnerability, CVE-2024-49039, which has a CVSS score of 8.8, attackers can execute arbitrary code in the context of the logged-in user. This means that a successful attack could occur simply by a victim visiting a malicious web page, enabling the installation of RomCom’s backdoor without any user interaction.
Key points of this blogpost:
- On October 8th, 2024, ESET researchers discovered a previously unknown zero-day vulnerability in Mozilla products being exploited in the wild.
- Analysis of the exploit led to the identification of CVE-2024-9680, a use-after-free bug in Firefox’s animation timeline feature. Mozilla promptly patched this vulnerability on October 9th, 2024.
- Further investigation revealed CVE-2024-49039, a privilege escalation bug in Windows, which allows code to run outside of Firefox’s sandbox. Microsoft released a patch for this vulnerability on November 12th, 2024.
- Successful exploitation attempts have resulted in the deployment of the RomCom backdoor, indicating a widespread campaign.
RomCom profile
RomCom, also referred to as Storm-0978, Tropical Scorpius, or UNC2596, is a cyber threat group aligned with Russian interests. Their operations encompass both opportunistic attacks on select business sectors and targeted espionage efforts. Recently, their focus has expanded to include intelligence collection alongside traditional cybercrime activities. The backdoor utilized by RomCom is capable of executing commands and downloading additional modules onto the victim’s machine.
Research indicates that RomCom has targeted various sectors in 2024, as outlined in Table 1, showcasing their engagement in both espionage and cybercrime.
Table 1. RomCom victims in 2024
| Vertical and region | Purpose | First seen |
| Governmental entity in Ukraine | Espionage | 2024-01 |
| Pharmaceutical sector in the US | Cybercrime | 2024-03 |
| Legal sector in Germany | Cybercrime | 2024-03 |
| Insurance sector in the US | Cybercrime | 2024-04 |
| Defense sector in Ukraine | Espionage | 2024-08 |
| Energy sector in Ukraine | Espionage | 2024-08 |
| Governmental entities in Europe | Espionage | 2024-08 |
| Worldwide targeting – Firefox exploit | Unknown | 2024-10 |
Compromise chain
The compromise chain initiated with a fake website that redirects potential victims to a server hosting the exploit. If the exploit is successful, it executes shellcode that downloads and runs the RomCom backdoor. The exact method of how victims are directed to this fake website remains unclear, but once accessed through a vulnerable browser, the payload is executed without any user interaction. Following the exploit, a JavaScript redirection occurs, allowing the exploit time to function before redirecting to a legitimate site.
From October 10th to October 16th, 2024, shortly after the initial vulnerability was patched, ESET identified additional command-and-control (C&C) servers hosting the exploit. These servers employed a naming scheme that added prefixes or suffixes like “redir” or “red” to legitimate domains, occasionally altering the top-level domain (TLD) to further obscure their intentions, as detailed in Table 2.
Table 2. Fake servers redirecting to the exploit
| First seen | Fake server | Final redirect to | Redirect website purpose |
| 2024-10-10 | redircorrectiv[.]com | correctiv.org | Nonprofit independent newsroom. |
| 2024-10-14 | devolredir[.]com | devolutions.net | Remote access and password management solutions. |
| 2024-10-15 | redirconnectwise[.]cloud | connectwise.com | MSP technology and IT management software. |
| 2024-10-16 | redjournal[.]cloud | connectwise.com | MSP technology and IT management software. |
When a victim using a vulnerable browser visits a page serving this exploit, the vulnerability is triggered, leading to the execution of shellcode. This shellcode consists of two components: the first retrieves the second from memory and marks the containing pages as executable, while the second implements a PE loader based on the open-source Shellcode Reflective DLL Injection (RDI) project. The loaded library facilitates a sandbox escape for Firefox, ultimately downloading and executing the RomCom backdoor on the victim’s machine.
Telemetry data from ESET indicates that between October 10th and November 4th, 2024, potential victims primarily located in Europe and North America were targeted, with numbers ranging from a single victim per country to as many as 250.
CVE-2024-9680: Use-after-free in Firefox animation timeline
On October 8th, 2024, ESET identified files used to deliver the RomCom backdoor hosted on a server controlled by the threat actor. These exploits target a use-after-free vulnerability in Firefox’s animation timelines, enabling an attacker to execute code within a content process. A detailed analysis of the files involved is provided in Table 3.
Table 3. Files related to the exploit
| Name | Description |
| main-128.js | JavaScript file containing the exploit for Firefox versions from 106 to 128. |
| main-129.js | JavaScript file containing the exploit for Firefox versions from 129 to 131. |
| main-tor.js | JavaScript file containing the exploit for Tor Browser versions 12 and 13. |
| script.js | JavaScript file used to generate a CAPTCHA. |
| utils.js | JavaScript file containing helper functions for data type conversions and OS/browser detection. |
| animation0.html | HTML iframe loaded by the exploit to trigger the use-after-free vulnerability. |
| index.html | HTML page loading the exploit and redirecting to a legitimate website after a few seconds. |
Timestamps related to these files indicate their creation on October 3rd, 2024, suggesting that the threat actor may have possessed the exploit prior to its public availability. ESET promptly reported the vulnerability to Mozilla, leading to a swift response and patching timeline:
- 2024-10-08: Discovery and initial analysis.
- 2024-10-08: Vulnerability reported to Mozilla.
- 2024-10-08: Vulnerability acknowledged by Mozilla.
- 2024-10-09: CVE-2024-9680 assigned by Mozilla Corporation.
- 2024-10-09: Vulnerability patched in Firefox, Security Advisory 2024-51.
- 2024-10-09: Vulnerability patched in Tor Browser with release 13.5.7.
- 2024-10-10: Vulnerability patched in Tails with release 6.8.1.
- 2024-10-10: Vulnerability patched in Thunderbird, Security Advisory 2024-52.
Mozilla’s team demonstrated commendable responsiveness, releasing a patch within a day of the vulnerability’s discovery.
The patched versions released by Mozilla and the Tor Project include:
- Firefox 131.0.2
- Firefox ESR 115.16.1
- Firefox ESR 128.3.1
- Tor Browser 13.5.7
- Tails 6.8.1
- Thunderbird 115.16
- Thunderbird 128.3.1
- Thunderbird 131.0.1
During the preparation of this report, independent researcher Dimitri Fourny released a detailed analysis of the vulnerability on November 14th, 2024.
Root cause analysis
The exploit code first checks the browser version and assesses its exploitability by examining specific object offsets and sizes. Once these checks are passed, it injects an HTML iframe into the exploit page, implemented in animation0.html. This iframe creates four HTML div elements, defining a getter function for the Object.prototype’s then property, which triggers the use-after-free vulnerability.
As the animation timeline progresses, the exploit manipulates the animation objects, eventually leading to the freeing of an animation object and handling a dangling pointer. This sequence of events allows the exploit to execute arbitrary code, leveraging the vulnerability to gain control over the victim’s system.
Mozilla’s patch effectively implemented reference-counting pointers for the animation objects, preventing them from being freed prematurely and thus mitigating the vulnerability.
Shellcode analysis
The shellcodes utilized in the exploit are stored within the JavaScript files. The first shellcode retrieves the second shellcode from memory, while the second is a compiled version of the Shellcode RDI project, designed to facilitate the loading of a DLL that escapes the restrictions of Firefox’s sandboxed environment.
CVE-2024-49039: Privilege escalation in Windows Task Scheduler
The loaded library, identified as PocLowIL, implements a sandbox escape from the untrusted process level of the content process to a medium level. This is achieved by exploiting an undocumented RPC endpoint, allowing the launch of a hidden PowerShell process that downloads a secondary stage from a C&C server.
The timeline for the vulnerability disclosure is as follows:
- 2024-10-08: Initial report to Mozilla regarding CVE-2024-9680, including the sandbox escape.
- 2024-10-14: Mozilla confirms the sandbox escape and contacts Microsoft for further assessment.
- 2024-11-12: Microsoft releases an advisory for CVE-2024-49039 and its corresponding patch.
Root cause analysis
The sandbox escape code resides within the main function of the library, utilizing an undocumented RPC endpoint to create a scheduled task that runs an arbitrary application at a medium integrity level. This allows attackers to elevate their privileges and escape the sandbox due to the lack of restrictions on the security descriptor applied to the RPC interface.
Exploitation
In this instance, the threat actor creates a task named firefox.exe that launches conhost.exe in headless mode, effectively hiding the child process window. The subsequent PowerShell code downloads an executable from a specified URL, storing it in the public folder and executing it, thereby facilitating further malicious actions.
Brief patch analysis
The updated version of WPTaskScheduler.dll introduces a more restrictive security descriptor, preventing the privilege escalation and rendering the sandbox escape code ineffective.
Indicators of Compromise (IoCs)
A comprehensive list of indicators of compromise and samples can be found in our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
| A4AAD0E2AC1EE0C8DD25968FA4631805689757B6 | utils.js | JS/Exploit.Agent.NSF | RomCom Firefox exploit. |
| CA6F8966A3B2640F49B19434BA8C21832E77A031 | main-tor.js | JS/Exploit.Agent.NSE | RomCom Firefox exploit. |
| 21918CFD17B378EB4152910F1246D2446F9B5B11 | main-128.js | JS/Exploit.Agent.NSE | RomCom Firefox exploit. |
| 703A25F053E356EB6ECE4D16A048344C55DC89FD | main-129.js | JS/Exploit.Agent.NSE | RomCom Firefox exploit. |
| ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6 | PocLowIL.dll | Win64/Runner.AD | RomCom Firefox sandbox escape. |
| A9D445B77F6F4E90C29E385264D4B1B95947ADD5 | PocLowIL.dll | Win64/Runner.AD | RomCom Tor browser sandbox escape. |
Network
| IP | Domain | Hosting provider | First seen | Details |
| 194.87.189[.]171 | journalctd[.]live | Aeza International LTD | 2024-10-08 | RomCom second-stage C&C server. |
| 178.236.246[.]241 | correctiv[.]sbs | Aeza International LTD | 2024-10-09 | RomCom second-stage C&C server. |
| 62.60.238[.]81 | cwise[.]store | Aeza International LTD | 2024-10-15 | RomCom second-stage C&C server. |
| 147.45.78[.]102 | redircorrectiv[.]com | Aeza International LTD | 2024-10-10 | RomCom exploit delivery C&C server. |
| 46.226.163[.]67 | devolredir[.]com | Aeza International LTD | 2024-10-14 | RomCom exploit delivery C&C server. |
| 62.60.237[.]116 | redirconnectwise[.]cloud | Aeza International LTD | 2024-10-15 | RomCom exploit delivery C&C server. |
| 62.60.237[.]38 | redjournal[.]cloud | Aeza International LTD | 2024-10-16 | RomCom exploit delivery C&C server. |
| 194.87.189[.]19 | 1drv.us[.]com | Aeza International LTD | 2024-10-08 | RomCom malware delivery C&C server. |
| 45.138.74[.]238 | economistjournal[.]cloud | Aeza International LTD | 2024-10-16 | RomCom exploit redirection C&C server. |
| 176.124.206[.]88 | N/A | Aeza International LTD | 2024-10-08 | RomCom second-stage C&C server. |
MITRE ATT&CK techniques
| Tactic | ID | Name | Description |
| Resource Development | T1583 | Acquire Infrastructure | RomCom sets up VPSes and buys domain names. |
| T1587.001 | Develop Capabilities: Malware | RomCom develops malware in multiple programming languages. | |
| T1587.004 | Develop Capabilities: Exploits | RomCom may develop exploits used for initial compromise. | |
| T1588.003 | Obtain Capabilities: Code Signing Certificates | RomCom obtains valid code-signing certificates to sign its malware. | |
| T1588.005 | Obtain Capabilities: Exploits | RomCom may acquire exploits used for initial compromise. | |
| T1588.006 | Obtain Capabilities: Vulnerabilities | RomCom may obtain information about vulnerabilities it uses for targeting victims. | |
| T1608 | Stage Capabilities | RomCom stages malware on multiple delivery servers. | |
| Initial Access | T1189 | Drive-by Compromise | RomCom compromises victims through a user visiting a website hosting an exploit. |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task | RomCom creates a scheduled task using RCP to execute the next stage downloader. |
| Persistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | The RomCom backdoor hijacks DLLs loaded by explorer.exe or wordpad.exe for persistence. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | RomCom exploits a vulnerability to escape the Firefox sandbox. |
| Defense Evasion | T1622 | Debugger Evasion | The RomCom backdoor detects debuggers by registering an exception handler. |
| T1480 | Execution Guardrails | The RomCom backdoor checks whether the system state is suitable for execution. | |
| T1027.011 | Obfuscated Files or Information: Fileless Storage | The RomCom backdoor is stored encrypted in the registry. | |
| T1553.002 | Subvert Trust Controls: Code Signing | The RomCom backdoor weakens security mechanisms by using trusted code-signing certificates. | |
| Credential Access | T1555.003 | Credentials from Password Stores: Credentials from Web Browsers | The RomCom backdoor collects passwords, cookies, and sessions using a browser stealer module. |
| T1552.001 | Unsecured Credentials: Credentials In Files | The RomCom backdoor collects passwords using a file reconnaissance module. | |
| Discovery | T1087 | Account Discovery | The RomCom backdoor collects username, computer, and domain data. |
| T1518 | Software Discovery | The RomCom backdoor collects information about installed software and versions. | |
| T1614 | System Location Discovery | The RomCom backdoor checks for a specific keyboard layout ID (KLID). | |
| Lateral Movement | T1021 | Remote Services | The RomCom backdoor creates SSH tunnels to move laterally within compromised networks. |
| Collection | T1560 | Archive Collected Data | The RomCom backdoor stores data in a ZIP archive for exfiltration. |
| T1185 | Man in the Browser | The RomCom backdoor steals browser cookies, history, and saved passwords. | |
| T1005 | Data from Local System | The RomCom backdoor collects specific file types based on file extensions. | |
| T1114.001 | Email Collection: Local Email Collection | The RomCom backdoor collects files with .msg, .eml, and .email extensions. | |
| T1113 | Screen Capture | The RomCom backdoor takes screenshots of the victim’s computer. | |
| Command and Control | T1071.001 | Standard Application Layer Protocol: Web Protocols | The RomCom backdoor uses HTTP or HTTPS as a C&C protocol. |
| T1573.002 | Encrypted Channel: Asymmetric Cryptography | The RomCom backdoor encrypts communication using SSL certificates. | |
| Exfiltration | T1041 | Exfiltration Over Command-and-Control Channel | The RomCom backdoor exfiltrates data using the HTTPS C&C channel. |
| Impact | T1565 | Data Manipulation | RomCom manipulates systems and steals data. |
| T1657 | Financial Theft | RomCom compromises companies for financial interest. |
