A Russia-linked APT actor has been observed chaining two recent zero-day vulnerabilities in Firefox and Windows to deploy a backdoor on the victims’ machines, ESET reports.
The hacking group, tracked as RomCom, Storm-0978, Tropical Scorpius, and UNC2596, has been conducting opportunistic and targeted campaigns against various sectors, as part of both espionage and cybercrime operations.
Following the exploitation of a Microsoft Office zero-day last year, RomCom was recently caught exploiting two other zero-days, namely CVE-2024-9680, a critical-severity flaw affecting Firefox, Thunderbird, and Tor browser, along with CVE-2024-49039, a high-severity Windows Task Scheduler bug.
“In a successful attack, if a victim browses to a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required – which in this case led to the installation of RomCom’s eponymous backdoor on the victim’s computer,” ESET reports.
According to data collected by ESET, most of the potential victims of this exploit chain were located in North America – particularly the United States – and Europe. This is based on the users who visited the websites hosting the exploit between October 10 and November 4, 2024.
Flagged as exploited in the wild when patched on October 9 with the release of Firefox version 131.0.2, CVE-2024-9680 is a use-after-free issue that could allow an attacker to execute arbitrary code in the context of the browser.
Microsoft patched CVE-2024-49039 on November 12, warning that it could allow attackers to elevate privileges and execute code from a low privilege AppContainer. The flaw would allow an attacker to “execute RPC functions that are restricted to privileged accounts only”, Microsoft warned.
RomCom’s exploit chain, ESET says, relied on a fake website redirecting to an exploit that would execute shellcode to fetch and run the backdoor on the victim’s machine, without user interaction. The victim would then be redirected to a legitimate site, to avoid raising suspicion.
“The shellcode simply loads an embedded library whose sole purpose is to escape the restrictions of Firefox’s sandboxed content process,” ESET notes.
“The malicious library creates a scheduled task that will run an arbitrary application at medium integrity level, allowing the attackers to elevate their privileges on the system and break out of the sandbox. This is possible due to the lack of restrictions imposed on the security descriptor applied to the RPC interface during its creation,” it continues.
The cybersecurity firm’s analysis revealed that the files used to deliver the RomCom backdoor were created on October 3, but the threat actor might have known about the exploit earlier.
ESET reported the Firefox zero-day to Mozilla on October 8 and provided it with details of the sandbox escape. On October 14, Mozilla confirmed it and notified Microsoft of the Windows security defect it was tied to.
Likely working for the Russian government, RomCom was previously associated with the Cuba ransomware. In 2024, it was seen targeting entities in the US and Europe, including government, defense, and energy organizations for espionage, as well as pharmaceutical, legal, and insurance companies for cybercrime operations.
“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities,” ESET notes.
Related: Palo Alto Patches Firewall Zero-Day Exploited in Operation Lunar Peek
Related: Senators Ask DHS About Efforts to Protect US Against Russian Cyberattacks
Related: Major Cyberattack on Poland Came from Russian Territory: Kaczynski
Related: Backdoors Identified in Tens of C-Data Fiber Broadband Devices