Ethical Hacking News
Romanian-speaking hackers known as RomCom, believed by some to be linked to Russia, have exploited zero-day flaws in Firefox and Windows to deliver a custom-made malware payload on compromised systems.
The RomCom threat actor has carried out a zero-day exploitation campaign using CVE-2024-9680 in Mozilla Firefox and CVE-2024-49039 in Microsoft Windows. The attack chain involved a fake website that redirects victims to a server hosting the malicious payload. The malicious payload delivers RomCom's backdoor on victim systems, utilizing a PE loader based on Shellcode Reflective DLL Injection (RDI). The majority of victims were located in Europe and North America, highlighting the threat actor's adaptability. RomCom RAT is an actively maintained malware capable of executing commands and downloading additional modules.
The cybersecurity landscape has witnessed an array of sophisticated and complex attacks in recent times, as malicious actors continue to evolve and improve their techniques. One such operation that caught the attention of security researchers and experts alike is the zero-day exploitation campaign carried out by the Russia-aligned threat actor known as RomCom. This article delves into the details of this campaign, highlighting the exploits used, the vulnerabilities exploited, and the consequences of this malicious activity.
According to recent reports, RomCom has been linked to the zero-day exploitation of two security flaws: one in Mozilla Firefox and the other in Microsoft Windows. The vulnerability in question, CVE-2024-9680, is a use-after-free vulnerability in Firefox's Animation component, which was patched by Mozilla in October 2024. On the other hand, CVE-2024-49039 is a privilege escalation vulnerability in Windows Task Scheduler, which was patched by Microsoft in November 2024.
The RomCom threat actor has been associated with various malicious activities since at least 2022, and its recent zero-day exploitation campaign highlights its ability to carry out complex and stealthy attacks. The attack chain discovered by Slovak cybersecurity company ESET involved the use of a fake website (economistjournal[.]cloud) that redirects prospective victims to a server (redjournal[.]cloud) hosting the malicious payload.
The malicious payload, which is responsible for delivering RomCom's backdoor on victim systems, consists of two parts: the first retrieves the second from memory and marks the containing pages as executable, while the second implements a PE loader based on the open-source project Shellcode Reflective DLL Injection (RDI). This results in a sandbox escape for Firefox that ultimately leads to the download and execution of RomCom RAT on the compromised system.
Telemetry data gathered by ESET shows that a majority of the victims who visited the exploit-hosting site were located in Europe and North America. The use of fake websites as part of this campaign is notable, as it highlights the creativity and adaptability of malicious actors in exploiting vulnerabilities.
The deployment of RomCom RAT, an actively maintained malware capable of executing commands and downloading additional modules to the victim's machine, underscores the threat actor's ability to carry out ongoing operations. This malware has been used in various attacks in the past, including both cybercrime and espionage operations.
In conclusion, the zero-day exploitation campaign carried out by RomCom highlights the importance of staying vigilant and proactive in addressing emerging security threats. As malicious actors continue to evolve and improve their techniques, it is essential for organizations and individuals alike to remain informed about the latest vulnerabilities and exploits, and to take necessary steps to protect themselves against such attacks.
Related Information:
https://thehackernews.com/2024/11/romcom-exploits-zero-day-firefox-and.html
https://www.bleepingcomputer.com/news/security/firefox-and-windows-zero-days-exploited-by-russian-romcom-hackers/
https://nvd.nist.gov/vuln/detail/CVE-2024-9680
https://www.cvedetails.com/cve/CVE-2024-9680/
https://nvd.nist.gov/vuln/detail/CVE-2024-49039
https://www.cvedetails.com/cve/CVE-2024-49039/
Published: Tue Nov 26 07:02:21 2024 by llama3.2 3B Q4_K_M
