RomCom Exploits Zero Days In Recent Backdoor Campaigns

The threat actor group RomCom have exploited two zero days in its recent backdoor campaigns. While patches for both zero-day vulnerabilities are available, users must update their systems with the fixes to avoid the threat as it exploits unpatched systems.

RomCom Exploits Zero-Days In Latest Campaign

According to the latest ESET report, the Russian threat actor group RomCom has again become active against Windows users.

Specifically, RomCom exploits two zero days to deploy backdoor malware on target systems in its recent attacks. These vulnerabilities include,

• CVE-2024-9680(critical; CVSS 9.8): A use-after-free in Animation timelines affecting Mozilla products. According to the advisory, this vulnerability impacted Mozilla Firefox, Firefox ESR and Tor browsers, and the email client Thunderbird. The firm then patched it with Firefox v.131.0.2, Firefox ESR versions 128.3.1 and 115.16.1, Tor Browser 13.5.7, Thunderbird versions 131.0.1, 128.3.1 and 115.16.0, and Tails 6.8.1, respectively. Exploiting this vulnerability allows an adversary to achieve code execution in the content process.
• CVE-2024-49039 (important; CVSS 8.8): A privilege escalation vulnerability in Windows Task Scheduler that permitted elevated privileges to an attacker upon executing a maliciously crafted application. Microsoft patched this vulnerability with the Patch Tuesday November 2024 updates.

While the respective vendors have already addressed both vulnerabilities, the threat actors could still exploit the flaws in their recent attacks targeting unpatched systems. The threat actors chain the two vulnerabilities in their attacks to deploy backdoor malware on their target systems.

Attackers Maintain A Low Profile In The Recent Campaign

RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) is a known threat actor group, presumably with Russian links. The group specifically targets businesses with financially motivated attacks and cyber espionage. To achieve their malicious goals, the attackers deploy a backdoor on the target system, which then downloads additional payloads and executes malicious commands.

In the recent attacks, RomCom lured users into downloading the malware via phishing web pages. Once the user visited a website hosting the exploit, the exploit triggered the vulnerability and executed shellcode, ultimately infecting the device with RomCom RAT.

According to ESET researchers, recent attacks have primarily targeted users in North America and Europe. Interestingly, the attackers maintain a low profile in these attacks, targeting 1 to 250 users per country.

Given the availability of vulnerability fixes, ensuring prompt system updates is the key to avoiding this attack.

Let us know your thoughts in the comments.