Photo source: PixaHive
Security researchers have identified two previously undisclosed zero-day vulnerabilities that the Russian-affiliated hacking group RomCom is actively exploiting to target users of the Firefox browser and Windows devices throughout Europe and North America.
RomCom is recognised as a cybercrime organisation that conducts cyberattacks and digital intrusions on behalf of the Russian government. Recently, the group was connected to a ransomware attack against the Japanese technology firm Casio. It has also demonstrated a strong focus on targeting entities aligned with Ukraine, following Russia’s invasion in 2014.
According to researchers from ESET, a cybersecurity firm, RomCom has leveraged these two zero-day vulnerabilities—termed “zero-day” because software developers had no opportunity to issue fixes before they were exploited—to create a “zero-click” exploit. This type of exploit enables hackers to install malware on a victim’s computer remotely, without requiring any interaction from the user.
“This level of sophistication demonstrates the threat actor’s capability and intent to develop stealthy attack methods,” stated ESET researchers Damien Schaeffer and Romain Dumont in a blog entry published on Monday.
To activate the zero-click exploit, targets must visit a malicious website controlled by RomCom. Upon exploitation, the group’s backdoor malware is installed on the victim’s system, granting extensive access to their device.
Mozilla addressed the Firefox vulnerability on October 9, just one day after ESET notified them. The Tor Project, which develops the Tor Browser based on Firefox’s codebase, also implemented a patch for this vulnerability. However, Schaeffer indicated that ESET has not observed any evidence of exploitation of the Tor Browser during this campaign.
Microsoft released a patch for the Windows vulnerability on November 12. The bug was reported to Microsoft by Google’s Threat Analysis Group, which investigates cyber threats backed by governments, suggesting it may have been utilised in other state-sponsored hacking efforts.
The first flaw (CVE-2024-9680) is identified as a use-after-free vulnerability within Firefox’s animation timeline feature, allowing execution of code within the browser’s sandbox. The second vulnerability is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service that permits attackers to execute code outside of Firefox’s sandbox.
RomCom exploited these vulnerabilities as part of a chain attack that enabled remote code execution without any user interaction. Victims only needed to visit an attacker-controlled website that would download and execute RomCom’s backdoor malware on their systems. ESET’s analysis revealed that many victims who accessed these exploit-hosting sites were primarily located in Europe and North America.
The attack chain involves directing potential victims to a fake website that leads them to an exploit server. If successful, shellcode is executed that downloads and runs RomCom’s backdoor on the compromised system.
“While we don’t know how the link to the fake website is distributed, if the page is reached using a vulnerable browser, a payload is dropped and executed on the victim’s computer with no user interaction required,” Schaeffer explained.
RomCom has been linked to various financially motivated campaigns alongside orchestrated ransomware and extortion attacks, as well as credential theft likely to support intelligence operations. The group has also been associated with espionage efforts targeting organisations in Ukraine, Europe, and North America across multiple sectors including government, defense, energy, pharmaceuticals, and insurance.