Russia-aligned RomCom Advanced persistent threat (APT) group has been observed exploiting Mozilla and Windows zero day and zero click vulnerabilities.
A researcher at cybersecurity firm ESET discovered the two vulnerabilities in October 2024, they have both since been patched.
The vulnerability discovered in Mozilla’s Firefox, now assigned CVE-2024-9680 with a CVSS score of 9.8, has been exploited in the wild by Russia-aligned APT group RomCom.
RomCom is also known as Storm-0978, Tropical Scorpius, or UNC2596.
CVE-2024-9680 is a use-after-free bug in the animation timeline feature in Firefox. ESET reported the vulnerability to Mozilla on October 8, 2024, and it was patched within a day.
According to ESET’s telemetry, from October 10, 2024 to November 4th, 2024, potential victims who visited websites hosting the exploit were located mostly in Europe and North America.
“Some of them were using non vulnerable version of the browser or the exploit failed. For some of them unfortunately it succeeds, and the RomCom backdoor was installed and run on the victim’s computer,” explained ESET Senior Malware Researcher Damien Schaeffer, who discovered both vulnerabilities.
CVE-2024-9680 affected vulnerable versions of Mozilla's Firefox browser, Thunderbird open-source email client and the Tor Browser which is an open-source browser based on Mozilla Firefox.
The CVE allowed attackers to execute code in the restricted context of the browser. Further analysis revealed another zero-day vulnerability in Windows. This is a privilege escalation bug, assigned CVE-2024-49039 with a CVSS score of 8.8, that allows code to run outside Firefox’s sandbox.
RomCom Installs Backdoor via Zero-Click Exploit
In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code without any user interaction required, known as zero click.
“Zero-click attacks are among the most dangerous and critical to address,” commented Schaeffer. However, he noted that they require a high level of sophistication and are pretty rare due to the investment required.
In this case it led to the installation of RomCom’s backdoor on the victim’s computer, according to ESET.
The backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine.
ESET noted that the two vulnerabilities could be chained, allowing arbitrary code to be executed in the context of the logged-in user.
Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction, said the firm.
“The compromise chain is composed of a fake website that redirects the potential victim to the server hosting the exploit, and should the exploit succeed, shellcode is executed that downloads and executes the RomCom backdoor,” explained Schaeffer.
“While we don’t know how the link to the fake website is distributed, however, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required.”
ESET added, this level of sophistication demonstrates the threat actor’s intent and means to obtain or develop stealthy capabilities.