RomCom exploits Firefox and Windows zero days in the wild
ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit
ESET researchers discovered a previously unknown vulnerability in Mozilla products, exploited in the wild by Russia-aligned group RomCom. This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023.
This critical vulnerability, assigned CVE-2024-9680 with a CVSS score of 9.8, allows vulnerable versions of Firefox, Thunderbird, and the Tor Browser to execute code in the restricted context of the browser. Chained with another previously unknown vulnerability in Windows, assigned CVE-2024-49039 with a CVSS score of 8.8, arbitrary code can be executed in the context of the logged-in user. In a successful attack, if a victim browses to a web page containing the exploit, an adversary can run arbitrary code – without any user interaction required – which in this case led to the installation of RomCom’s eponymous backdoor on the victim’s computer.
RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a Russia-aligned group that conducts both opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s focus has shifted to include espionage operations collecting intelligence, in parallel with its more conventional cybercrime operations. The backdoor used by the group is capable of executing commands and downloading additional modules to the victim’s machine.
