Security researchers at ESET have uncovered an attack chain that exploitis multiple vulnerabilities to deploy the RomCom backdoor without requiring any user interaction.
RomCom, also known as Tropical Scorpius or UNC2596, is known for conventional cybercrime operations. The group has increasingly shifted toward espionage, targeting industries and government entities in Ukraine, Europe, and the United States.
The attack campaign from the Pro Russian group has highlighted the increasing sophistication of cyber espionage efforts across the entities worldwide, leveraging below vulnerabilities.
CVE-2024-9680: With a CVSS score of 9.8, a use-after-free bug in the animation timeline feature allows arbitrary code execution within the limited context of the browsers like Firefox, Thunderbird, Tor.
CVE-2024-49039: With a CVSS score of 8.8, it is a privilege of escalation vulnerability in Microsoft Windows. This flaw enables attackers to escape Firefox’s sandbox restrictions and execute code with the same privileges as the logged-in user.
The attack chain begins with a fake website hosting the exploit. Victims are redirected to the malicious webpage, which triggers the vulnerabilities of any unpatched browsers.
A carefully crafted payload is then executed, delivering the RomCom backdoor. To avoid detection, the site redirects victims to legitimate websites after the exploit runs.
The JavaScript-based exploit manipulates Firefox’s animation timeline feature, causing a use-after-free bug to hijack the browser’s JIT (Just-In-Time) compiler. This technique executes a shellcode loader that downloads and runs the backdoor.
Once after skipping the Firefox’s sandbox, attackers use an undocumented Windows RPC endpoint to escalate privileges. This component launches a hidden PowerShell process, which downloads other malicious files for compromising the system.
Vulnerabilities Disclosure Timeline
- October 8, 2024: Firefox zero-day has been discovered and reported it to Mozilla.
- October 9, 2024: Mozilla issued a patch within 25 hours, releasing Security Advisory 2024-51 and updates for Firefox, Thunderbird, Tails, and the Tor Browser.
- October 14, 2024: Mozilla identified that the sandbox escape was linked to a Windows vulnerability, forwarding the issue to Microsoft.
- November 12, 2024: Microsoft patched the Windows zero-day via update KB5046612.
Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities.
For more information, refer to the blog
Indicators of Compromise
- A4AAD0E2AC1EE0C8DD25968FA4631805689757B6
- CA6F8966A3B2640F49B19434BA8C21832E77A031
- 21918CFD17B378EB4152910F1246D2446F9B5B11
- 703A25F053E356EB6ECE4D16A048344C55DC89FD
- ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6
- A9D445B77F6F4E90C29E385264D4B1B95947ADD5
- 194.87.189[.]171
- 178.236.246[.]241
- 62.60.238[.]81
- 147.45.78[.]102
- 46.226.163[.]67
- 62.60.237[.]116
- 62.60.237[.]38
- 194.87.189[.]19
- 45.138.74[.]238
- 176.124.206[.]88
