The Russia-aligned cyber threat actor known as RomCom has been linked to the exploitation of two high-severity zero-day vulnerabilities in attacks aimed at installing its backdoor on victim systems. These vulnerabilities are:

1. CVE-2024-9680: This is a use-after-free vulnerability in the Animation component of Mozilla Firefox, which was exploited in attacks that allowed adversaries to execute arbitrary code on victims’ systems without requiring any user interaction (a zero-click exploit). This flaw was patched by Mozilla in October 2024. With a CVSS score of 9.8, it is classified as a critical vulnerability.
2. CVE-2024-49039: This vulnerability exists in the Windows Task Scheduler, allowing for privilege escalation. Successful exploitation of this flaw could enable an attacker to elevate their privileges on the system. Microsoft patched this vulnerability in November 2024, and it has a CVSS score of 8.8, also indicating high severity.

The Russia-aligned threat actor known as RomCom (also referred to by various aliases such as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu) has a long history of conducting both cybercrime and espionage operations since at least 2022.

• RomCom RAT: The primary payload deployed in these attacks is the RomCom Remote Access Trojan (RAT). This malware is actively maintained and is designed to execute arbitrary commands, establish remote control over infected systems, and download additional malicious modules. Once installed, RomCom RAT can provide attackers with persistent access to victim systems, enabling further exploitation.
• Attack Chain: The attack discovered by ESET, a Slovak cybersecurity company, involved the use of a fake website—economistjournal[.]cloud. This website acted as a redirector, guiding victims to a server (hosted at redjournal[.]cloud) that contained the malicious payload.
• Exploitation of Vulnerabilities: The attack utilized a combination of the two zero-day vulnerabilities:
  • CVE-2024-9680 (use-after-free vulnerability in Firefox)
  • CVE-2024-49039 (privilege escalation in Windows Task Scheduler)

These vulnerabilities were chained together to gain code execution on victim machines. The process begins with the victim visiting the fake website, which triggers the exploit to download and execute the malicious payload. The vulnerabilities in Firefox and Windows are used in sequence, allowing the attackers to bypass security measures and successfully deploy RomCom RAT on the victim’s system.

• Sandbox Escape: The exploit uses a clever combination of the Firefox vulnerability and the Windows Task Scheduler flaw to escape the browser’s sandbox—a key security feature designed to limit the impact of browser-based exploits.
• PocLowIL Library: An embedded library, PocLowIL, is specifically designed to assist in the sandbox escape by leveraging the privilege escalation flaw in the Task Scheduler.

Distribution and Targeting:

• While the exact method of distributing the links to the fake website (economistjournal[.]cloud) remains unclear, it’s possible the site is being accessed via phishing emails, malicious ads, or compromised legitimate websites.
• Geographic Impact: ESET telemetry shows that the majority of victims who visited the exploit-hosting site were located in Europe and North America, suggesting that RomCom is targeting high-value individuals or organizations, likely for espionage or cybercrime.

• CVE-2024-49039 was not only discovered by ESET but was also independently reported by Google’s Threat Analysis Group (TAG), which raises the possibility that multiple threat actors could be exploiting this vulnerability.
• This marks RomCom’s second known zero-day exploitation in the wild:
  • The first was in June 2023, when RomCom exploited CVE-2023-36884 via Microsoft Word, a zero-day vulnerability in Office products.

TECHNICAL DETAILS :

1. CVE-2024-9680 (Firefox Vulnerability)

• Type: Use-after-free vulnerability in Firefox’s Animation component.
• Exploit Mechanism: When a victim visits a specially crafted webpage, the exploit is triggered automatically if the victim is using a vulnerable version of Firefox.
  • Zero-click: The exploit happens without any user interaction, meaning no clicking or browsing action is needed beyond visiting the malicious site.
  • The vulnerability affects Firefox’s Animation component, allowing arbitrary code execution within the content process of the browser.
• Execution of Shellcode:
  • The exploit injects shellcode into the victim’s browser’s memory. The shellcode is split into two parts:
    • First Part: Retrieves the second part of the shellcode from memory and marks the web page as executable.
    • Second Part: Implements a PE loader based on Shellcode Reflective DLL Injection (RDI). The RDI technique enables loading the malicious payload into the victim’s memory without needing to write to the disk, making the attack stealthy.
• Outcome: The shellcode execution triggers a sandbox escape in Firefox, bypassing the browser’s security mechanisms (which are meant to contain any malicious code within the browser environment).

2. CVE-2024-49039 (Windows Task Scheduler Privilege Escalation)

• Type: Privilege escalation vulnerability in Windows Task Scheduler.
• Exploit Mechanism:
  • The exploit allows attackers to escalate privileges on the target system, giving them admin-level access.
  • This flaw is weaponized by the shellcode after it escapes Firefox’s sandbox, allowing the attacker to break out of the browser’s sandboxed environment and gain higher privileges on the system.
  • Once elevated, the attacker has control over the victim system, enabling them to execute arbitrary code or install further malicious software, such as the RomCom RAT.

3. RomCom RAT Payload

• Remote Access Trojan (RAT): Once the vulnerabilities are chained together and privileges are escalated, the RomCom RAT is downloaded and executed.
  • Capabilities: RomCom RAT is an actively maintained malware that allows attackers to remotely control the infected system.
  • Functionality:
    • Command Execution: It allows attackers to execute commands on the compromised system.
    • Module Download: It can download additional malicious modules to further compromise the system or maintain persistence.
    • Stealth and Persistence: The RAT can be used to maintain persistent access to the system, which can be used for data exfiltration or other malicious activities over time.

4. Exploit Chain

• The exploit chain begins when the victim visits a malicious website (e.g., economistjournal[.]cloud).
• The Firefox vulnerability (CVE-2024-9680) is triggered when the victim loads the page, causing shellcode to execute in the browser’s content process.
• The shellcode then escapes the Firefox sandbox and exploits the CVE-2024-49039 Windows Task Scheduler vulnerability, escalating the victim’s privileges.
• Once the attacker has elevated privileges, the RomCom RAT is downloaded and executed, providing the attacker full control over the compromised system.

5. PocLowIL Library

• PocLowIL is an embedded library used within the exploit to facilitate the sandbox escape.
  • It assists in breaking out of Firefox’s sandboxed content process.
  • Once the sandbox escape is successful, the Task Scheduler flaw is weaponized to obtain elevated privileges on the victim’s system.

6. Shellcode Reflective DLL Injection (RDI)

• The Shellcode Reflective DLL Injection (RDI) technique is employed to inject malicious code directly into the victim’s memory.
  • Reflective DLL Injection works by loading a DLL (Dynamic-Link Library) into memory without having to write it to disk, which helps the attacker avoid detection by traditional file-based security tools.
  • The PE loader involved in the second part of the shellcode works by loading the RomCom RAT into memory and running it directly, without writing any malicious files to the system, making it stealthy.

Indicators of Compromise (IOCs):

1. Malicious URLs

The attack involves a fake website that serves the exploit. Although the exact method of distribution is unclear, the malicious URLs are crucial for identifying initial infection vectors.

• Exploit Hosting Website:
  • economistjournal[.]cloud
  • This is the initial fake site hosting the exploit, which redirects victims to a server hosting the malicious payload.
• Malicious Payload Hosting Server:
  • redjournal[.]cloud
  • The malicious payload is hosted here, and it facilitates the download and execution of RomCom RAT.

2. IP Addresses

If telemetry data on known malicious IPs or network traffic is available, these can serve as indicators to identify communication with the attacker’s infrastructure. Specific IPs related to the RomCom RAT or exploit hosting servers may be flagged, although these would need to be identified through forensic analysis or threat intelligence reports.

3. File Hashes (MD5, SHA1, SHA256)

Once the RomCom RAT is installed, it might leave file artifacts (e.g., executable files or DLLs) on the victim’s system. The exact file hashes for the RomCom RAT executable (or any associated payloads) should be monitored.

• RomCom RAT Executable: If file hashes are available from known samples of the RAT, these can be useful to detect malicious binaries installed by the attacker.
  • Example (not actual hashes):
    • MD5: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    • SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    • SHA256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

4. Registry Keys

• Malicious registry keys could be created to maintain persistence or evade detection. For example, attackers might add a registry key to automatically run the RomCom RAT during system startup.
  • Persistence: Look for suspicious registry keys under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

5. File Names

Certain files might be used during the attack, such as temporary files created during the exploit execution or files associated with the RomCom RAT payload.

• Malicious Executables or Libraries: Files such as PocLowIL.dll (the embedded library used for sandbox escape) or other RomCom RAT related files could appear on infected systems.

6. Network Traffic

Once the RomCom RAT is installed on the system, it may initiate network communication with command-and-control (C2) servers. Monitoring network traffic for C2 communication patterns is critical for identifying compromised systems.

• Suspicious Domain Names: Look for network traffic that connects to domains such as economistjournal[.]cloud and redjournal[.]cloud (or any variants of these domains).
• Unusual Ports and Protocols: Any outbound connections on uncommon ports or protocols that could be used for remote control (like HTTP/HTTPS or TCP/UDP connections) should be scrutinized.

IMPACT:

1. System Compromise

• Initial Intrusion: Exploiting the CVE-2024-9680 vulnerability in Firefox and CVE-2024-49039 in Windows allows RomCom to gain full control over an infected system.
  • Zero-click attack: The exploit chain requires no user interaction, allowing attackers to compromise systems covertly and quickly.
  • Privilege escalation: The attack leverages the Windows Task Scheduler flaw to escalate privileges from low-level to administrative, providing attackers with nearly unlimited access to system resources.

2. Remote Access and Control

• RomCom RAT Execution: Once the attack chain succeeds, the RomCom RAT is installed, providing attackers with the ability to remotely control the infected machine.
  • Command Execution: Attackers can execute arbitrary commands, allowing them to take complete control of the victim’s system and perform malicious actions like data theft, surveillance, or other forms of cyber exploitation.
  • Module Downloading: The RAT can download additional malicious payloads, enabling further compromise and persistence.
  • Exfiltration of Sensitive Data: Attackers can steal confidential or sensitive information, including personal, financial, or corporate data, depending on the victim.

3. Persistence and Stealth

• Persistence: The RomCom RAT allows attackers to maintain access to the compromised system even after reboots or system updates, ensuring continuous exploitation.
  • Backdoors and Evasion Techniques: The RAT may employ evasion techniques, such as using reflective DLL injection or leveraging vulnerabilities that are difficult to detect by conventional security tools.
• Sandbox Escape: The use of the sandbox escape technique (through the PocLowIL library) allows RomCom to bypass Firefox’s security mechanisms, which would otherwise prevent execution of malicious code in the browser’s content process. This makes the attack more difficult to detect and mitigate.

4. Broader Network Compromise

• Spread of Attack: If the infected system is part of a larger network (e.g., a corporate or governmental network), the attacker may use the initial foothold to move laterally and infect other systems within the network.
  • Network-wide Data Exfiltration: Attackers can attempt to steal information from multiple systems or compromise additional sensitive data sources in the network.
  • Spreading to Other Devices: Attackers may escalate privileges across the network or deploy additional malware to compromise more systems and maintain control.

5. Espionage and Corporate Espionage

• Espionage: Given that the RomCom RAT is a tool primarily used in cyber espionage operations, the attack is likely to have been aimed at government organizations, critical infrastructure, or large enterprises.
  • Surveillance: Attackers could use the RAT to monitor communications, track user activity, or capture sensitive internal documents, leading to significant intellectual property theft or leakage of sensitive governmental information.
• Corporate Espionage: For businesses, this could mean the theft of proprietary business information, customer data, or strategic planning materials, which could result in financial losses, reputational damage, or competitive disadvantages.

6. Financial and Reputational Damage

• Financial Losses: Organizations that are targeted may face direct financial losses due to:
  • Data theft (e.g., intellectual property, trade secrets, personal data).
  • Ransomware deployment (if additional payloads or ransomware are installed).
  • Regulatory fines for not maintaining proper security measures or failing to protect customer data.
• Reputational Damage: Being compromised by an attack as sophisticated as RomCom RAT can lead to significant reputational harm for any organization, especially if customer data is exfiltrated or critical operations are disrupted.
  • Loss of trust from customers, partners, and stakeholders can have long-term impacts, especially in sectors like finance, healthcare, or government.

RECOMMENDATIONS:

1. Apply Patches and Updates Promptly

• Update Firefox: Ensure that the latest security updates are installed for Firefox to address CVE-2024-9680 (use-after-free vulnerability in Firefox’s Animation component). Mozilla patched this in October 2024, so it is important to check that all systems are using the most recent version of the browser.
• Update Windows: Install the latest updates and patches from Microsoft to fix the CVE-2024-49039 vulnerability in the Windows Task Scheduler. Microsoft released a patch for this flaw in November 2024.
• Automate Updates: Enable automatic updates for both Firefox and Windows to ensure that patches are applied as soon as they are available.

2. Implement Network Segmentation and Monitoring

• Network Segmentation: Limit the lateral movement of attackers within the network by segmenting sensitive systems (e.g., servers, workstations) from less critical areas. This can prevent the RomCom RAT from spreading across the network.
• Monitor Network Traffic: Actively monitor network traffic for signs of suspicious activity, such as connections to known malicious domains like economistjournal[.]cloud and redjournal[.]cloud. Use tools like intrusion detection systems (IDS) or security information and event management (SIEM) systems to flag unusual outbound communications to suspicious IP addresses.
• Outbound Traffic Inspection: Investigate any unusual outbound connections that might be associated with command-and-control (C2) servers or exfiltration of sensitive data. C2 communication could occur over common ports like HTTP/HTTPS or custom ports.

3. Employ Endpoint Protection and Detection

• Antivirus/Antimalware Software: Ensure that robust endpoint protection software is in place on all systems, with real-time scanning enabled to detect and block RomCom RAT payloads or other malicious files. Make sure the software is up-to-date with the latest signatures for detecting RATs and other malware.
• Behavioral Detection: Enable behavioral monitoring and heuristic detection to identify malicious activity on endpoints. Look for signs of unusual behavior such as new executable files running from temporary directories or unknown processes attempting to establish external network connections.
• File Integrity Monitoring: Use file integrity monitoring tools to detect any unauthorized changes to critical system files, including the presence of unusual registry keys or executables that might indicate a RomCom RAT infection.

4. Restrict Administrative Privileges

• Principle of Least Privilege: Limit the use of administrative privileges to only those users who require it. Avoid giving unnecessary system or network-level access to non-administrative users to reduce the potential impact of an attack.
• User Account Control (UAC): Enforce User Account Control (UAC) settings to limit the ability of malicious software to escalate privileges. Ensure that only trusted users and processes can make changes to sensitive system areas.
• Privilege Escalation Detection: Set up alerts to detect any unauthorized privilege escalation, especially when there is evidence of attempts to exploit vulnerabilities like CVE-2024-49039 in the Task Scheduler.

5. Improve Phishing and Social Engineering Defenses

• Training and Awareness: Conduct regular security awareness training for employees to help them recognize phishing attempts and suspicious websites. Even though this attack exploits zero-day vulnerabilities, initial access often comes through user interaction with malicious links or phishing emails.
• URL Filtering: Implement DNS filtering or URL filtering to block access to known malicious domains (e.g., economistjournal[.]cloud and redjournal[.]cloud) and prevent users from visiting exploit-hosting websites.
• Email Filtering: Use email security gateways to filter out phishing emails that might contain links to malicious websites or payloads designed to trigger vulnerabilities like CVE-2024-9680.