Firefox and Windows zero-days exploited by Russian RomCom hackers

​Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America.

The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it.

The second zero-day exploited in this campaign is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12.

RomCom abused the two vulnerabilities as a zero-day chain exploit, which helped them gain remote code execution without requiring user interaction. Their targets only had to visit an attacker-controlled and maliciously crafted website that downloaded and executed the RomCom backdoor on their system.

Based on the name of one of the JavaScript exploits used in the attacks (main-tor.js), the threat actors also targeted Tor Browser users (versions 12 and 13, according to ESET's analysis).

"The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor," said ESET researcher Damien Schaeffer.

"While we don't know how the link to the fake website is distributed, however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim's computer with no user interaction required."

Once deployed on a victim's device, this malware enabled the attackers to run commands and deploy additional payloads.

"Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction. This level of sophistication shows the threat actor's will and means to obtain or develop stealthy capabilities," ESET added.

Additionally, the number of successful exploitation attempts in these attacks that ended with the RomCom backdoor being deployed on victims' devices led ESET to believe this was a widespread campaign.

"The number of potential targets runs from a single victim per country to as many as 250, according to ESET telemetry," ESET said.

This isn't the first time RomCom has exploited a zero-day in its attacks. In July 2023, its operators exploited a zero-day (CVE-2023-36884) in multiple Windows and Office products to attack organizations attending the NATO Summit in Vilnius, Lithuania.

RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596) has been linked to financially motivated campaigns and orchestrated ransomware and extortion attacks alongside credential theft (likely aimed at supporting intelligence operations).

The threat group was also linked to the Industrial Spy ransomware operation, which has since switched to Underground ransomware.

According to ESET, RomCom is now also targeting organizations in Ukraine, Europe, and North America for espionage attacks across various industries, including government, defense, energy, pharmaceuticals, and insurance.