A RomCom you don’t want to see…on your network.

According to cybersecurity researchers, the Russia-aligned threat group known as RomCom was able to exploit recent vulnerabilities in Firefox and Windows before they were patched to compromise victims located in Europe and North America with its self-titled backdoor.

The first vulnerability, designated CVE-2024-9680, is a use-after-free flaw in Firefox’s Animation component that was patched in October 2024. The second vulnerability, designated CVE-2024-49039, is a privilege escalation flaw in Windows Task Scheduler that was patched in November 2024 after being discovered and disclosed by Google.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The attack chain begins when a target is directed to a RomCom server that hosts the exploit. If the target is using a vulnerable version of Firefox, the exploit executes shellcode that allows RomCom to escape Firefox’s sandbox by exploiting CVE-2024-9680 and subsequently download and execute the RomCom backdoor with elevated privileges thanks to CVE-2024-49039.

Once the target visits the website no further user interaction is required, which classifies RomCom’s infection technique as ‘zero-click’.

Source: The Hacker News

Analysis

RomCom is a sophisticated cyber threat actor involved in various malicious activities, including ransomware attacks and espionage. Initially identified for financially motivated operations, the group’s focus has recently shifted toward politically driven cyber campaigns, often aligned with Russian state interests.

RomCom’s usual targets, which include NATO-related organizations, Ukraine, and entities supporting Ukraine in geopolitical conflicts, often overlap with other Russian state-aligned hacking activities, suggesting a potential connection to Russian intelligence services.

RomCom’s primary tool, the RomCom backdoor, is a frequently updated remote access trojan (RAT) capable of data exfiltration, executing arbitrary commands, and installing additional malicious software.

RomCom’s evolving and increasingly sophisticated techniques pose a significant risk and highlight the importance of deploying robust cybersecurity measures, like Field Effect MDR, for organizations in Ukraine, or those doing Ukraine-related work contrary to Russian interests.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat groups such as RomCom.

Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect recommends that governments and organizations in Ukraine, or those doing Ukraine-related work contrary to Russian interests, adopt a heightened cybersecurity posture given the threat posed by Russian state-sponsored cyber actors. We encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) Shields Up program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.

Related Articles

• Fear thy neighbors…they could be APT 28.
• Russian APT28 hackers exploiting known flaws in latest campaign
• Russian APT28 hackers breach Ukrainian government email servers