Full Report
The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems. "In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user
Analysis Summary
# Main Topic
RomCom, a Russia-aligned threat actor, is actively exploiting zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows to deliver their eponymous backdoor (RomCom RAT) on victim systems via a sophisticated web-based attack chain.
## Key Points
- The attack chain involves a victim browsing a malicious web page, leading to the exploitation of two separate zero-day flaws without requiring user interaction (zero-click capability in initial exploitation phase).
- Successful exploitation allows the adversary to run arbitrary code and install the RomCom backdoor.
- The attack utilizes a fake website (`economistjournal[.]cloud`) redirecting victims to a server (`redjournal[.]cloud`) hosting the payload, which chains the two vulnerabilities.
- The successful exploitation leads to the deployment of RomCom RAT, malware capable of command execution and downloading additional modules.
## Threat Actors
- **Primary Actor:** RomCom (also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu).
- **Affiliation:** Russia-aligned.
- **Activity:** Track record spanning cybercrime and espionage operations since at least 2022.
## TTPs
- **Method:** Exploitation of chained zero-day vulnerabilities triggered by browsing a specific web page.
- **Initial Access:** Web traffic to a malicious domain.
- **Payload Delivery:** Deployment of RomCom RAT post-exploitation.
- **Code Execution:** Achieved by chaining the Firefox and Windows vulnerabilities.
## Affected Systems
- **Software 1:** Mozilla Firefox (specifically involving the Animation component).
- Affected Vulnerability: **CVE-2024-9680** (Use-after-free, CVSS: 9.8).
- **Software 2:** Microsoft Windows Task Scheduler.
- Affected Vulnerability: **CVE-2024-49039** (Privilege Escalation, CVSS: 8.8).
- **Scope:** Systems running vulnerable versions of Firefox and Windows prior to patches.
## Mitigations
- **Patching (Firefox):** Apply patches released by Mozilla for CVE-2024-9680 (Patched in October 2024).
- **Patching (Windows):** Apply patches released by Microsoft for CVE-2024-49039 (Patched in November 2024).
- **Network Defense:** Monitor and potentially block traffic to known malicious exploit delivery domains (`economistjournal[.]cloud` and `redjournal[.]cloud`).
- **User Awareness:** While this is described as a zero-click exploit pathway, heightened awareness regarding browsing redirects is crucial.
## Conclusion
This incident highlights a critical, stealthy attack methodology leveraging two high-severity zero-day vulnerabilities against widely used software (Firefox and Windows) to deploy sophisticated state-affiliated malware (RomCom RAT). Immediate patching of the mentioned CVEs is the highest priority mitigation. Threat detection systems should be configured to identify activity related to the RomCom RAT post-compromise.