The Russian-based RomCom cybercrime group has been exploiting two zero-day vulnerabilities to target Firefox and Tor Browser users across Europe and North America.

The campaign, aimed at espionage and financial gain, leveraged a sophisticated chain of exploits to deliver the RomCom backdoor malware without requiring user interaction.

The Exploited Vulnerabilities

  1. CVE-2024-9680: A use-after-free flaw in Firefox’s animation timeline, enabling code execution within the browser sandbox. Mozilla patched this vulnerability on October 9, 2024, following its discovery by ESET.
  2. CVE-2024-49039: A privilege escalation flaw in the Windows Task Scheduler, allowing code execution outside the browser sandbox. Microsoft addressed this issue on November 12, 2024.

Attack Methodology

RomCom chained these vulnerabilities to create a seamless exploit chain. Victims only needed to visit a malicious website, which executed shellcode to download and install the RomCom backdoor. According to ESET, the campaign also targeted Tor Browser users (versions 12 and 13) using a JavaScript exploit named main-tor.js.

Buy Me a Coffee

The attack flow involved fake websites redirecting users to exploit servers, where the vulnerabilities were leveraged to compromise systems. Once the backdoor was installed, attackers gained the ability to run commands, deploy additional malware, and conduct espionage.

Scale and Impact

ESET telemetry suggests the campaign was widespread, with victim counts ranging from single individuals in some countries to as many as 250 in others. Industries targeted include government, defense, energy, pharmaceuticals, and insurance, with a specific focus on organizations in Ukraine, Europe, and North America.

READ
French Hospital Data Breach Exposes 750,000 Patients' Medical Records

This is not the first instance of RomCom exploiting zero-days. In July 2023, the group targeted attendees of the NATO Summit using another zero-day vulnerability (CVE-2023-36884) in Windows and Office products. Known for financially motivated campaigns, ransomware, and credential theft, RomCom has also been linked to operations such as Industrial Spy and Underground ransomware.