The two Zero-Day vulnerabilities, concatenated from each other, have provided Romom with an exploit that does not require any interaction from the user, if not navigation on a specificly created website. The victims were mostly located in Europe and North America
Researchers of ESET, a global European leader in the cybersecurity market, have identified a previously unknown vulnerability, CVE-2024-9680, in Mozilla products, exploited by the APT Romcom group, aligned with Russia. Further analyzes led to the discovery of another zero-day vulnerability in Windows, a privilege escalation bug now identified as CVE-2024-49039. In a successful attack, if the victim visits a web page containing the exploit, the attacker can perform arbitrary code without any user interaction (zero-click), leading to the installation of the Backdoor Romcom on the victim's device. The backdoor allows you to perform controls and download additional modules on the machine. The critical vulnerability linked to Mozilla, discovered by ESET Research on October 8, has a CommonArability Scoring System (CVSS) score of 9.8 on a scale from 0 to 10. In 2024, Romcom hit Ukrainian, in other European countries and the United States. According to ESET telemetry, between 10 October and 4 November 2024, the potential victims who visited the sites that housed the Exploit were mostly located in Europe and North America.
On October 8, 2024, ESET researchers discovered the CVE-2024-9680 vulnerability, a bug use-after-free in the animation functionality of the Firefox timeline. Mozilla corrected vulnerability on October 9, 2024. Further analyzes led to the discovery of another zero-day vulnerability in Windows: a privilege escalation bug identified as CVE-2024-49039, which allows the execution of code outside the Firefox sandbox. Microsoft released a patch for this second vulnerability on November 12, 2024.
The CVE-2024-9680 vulnerability allows the vulnerable versions of Firefox, Thunderbird and Tor Browser to perform code in the restricted context of the browser. In combination with the Windows vulnerability of 2024-49039, which has a CVSS score of 8.8, it is possible to perform arbitrary code in the context of the connected user. The joint use of the two zero-day vulnerabilities has allowed Romcom to develop an exploit that does not require any user interaction. This level of sophistication demonstrates both the intent and the group's skills in the development of unpaid tools. The successful attacks led to the installation of a Backdoor Romcom, in what appears as a large -scale campaign.
Romcom (also known as Storm-0978, Tropical Scorpius or UNC2596) is a pro-Russian group that leads both occasional campaigns against specific sectors and targeted espionage operations. The attention of the group focused on espionage and collection of information, parallel to more conventional computer crime activities. In 2024, ESET detected cyberspionage and computer crime operations conducted by Romcom against government bodies, the defense and energy sector in Ukraine, the pharmaceutical and insurance sector in the United States, the legal sector in Germany and government bodies in Europe.
"The compromise chain includes a false website that redirects the potential victim to the server that hosts the exploit. If the exploit is successful, a shellcode is performed that downloads and performs the Backdoor Romcom. We do not know how the link to the counterfeit website is distributed, but if the page is reached via a vulnerable browser, a payload is unloaded without any Interaction of the user, "says Damien Schaeffer, an ESET researcher who discovered both vulnerabilities. "We would like to thank the Mozilla team for the great reactivity and for the remarkable commitment to release a patch in less than a day," he adds. Each vulnerability has been corrected respectively by Mozilla and Microsoft.
It is at least the second time in which Romcom was caught taking advantage of a significant zero-day vulnerability, after the exploitation of CVE-2023-36884 through Microsoft Word in June 2023.
For a more detailed analysis of the uncovered vulnerabilities, consult the blog of ESET Research, RomCom exploits Firefox and Windows zero days in the wild, on WeliveSecurity.com. Follow ESET Research on Twitter (now known as X) For the latest news from ESET Research.
