The Russian-based RomCom cybercrime group has been exploiting two zero-day vulnerabilities to target Firefox and Tor Browser users across Europe and North America.
The campaign, aimed at espionage and financial gain, leveraged a sophisticated chain of exploits to deliver the RomCom backdoor malware without requiring user interaction.
The Exploited Vulnerabilities
- CVE-2024-9680: A use-after-free flaw in Firefox’s animation timeline, enabling code execution within the browser sandbox. Mozilla patched this vulnerability on October 9, 2024, following its discovery by ESET.
- CVE-2024-49039: A privilege escalation flaw in the Windows Task Scheduler, allowing code execution outside the browser sandbox. Microsoft addressed this issue on November 12, 2024.
Attack Methodology
RomCom chained these vulnerabilities to create a seamless exploit chain. Victims only needed to visit a malicious website, which executed shellcode to download and install the RomCom backdoor. According to ESET, the campaign also targeted Tor Browser users (versions 12 and 13) using a JavaScript exploit named main-tor.js.
The attack flow involved fake websites redirecting users to exploit servers, where the vulnerabilities were leveraged to compromise systems. Once the backdoor was installed, attackers gained the ability to run commands, deploy additional malware, and conduct espionage.
Scale and Impact
ESET telemetry suggests the campaign was widespread, with victim counts ranging from single individuals in some countries to as many as 250 in others. Industries targeted include government, defense, energy, pharmaceuticals, and insurance, with a specific focus on organizations in Ukraine, Europe, and North America.
This is not the first instance of RomCom exploiting zero-days. In July 2023, the group targeted attendees of the NATO Summit using another zero-day vulnerability (CVE-2023-36884) in Windows and Office products. Known for financially motivated campaigns, ransomware, and credential theft, RomCom has also been linked to operations such as Industrial Spy and Underground ransomware.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.