Summary:
ESET researchers have uncovered a critical zero-day vulnerability (CVE-2024-9680) in Mozilla products, exploited by the Russia-aligned group RomCom. This vulnerability allows arbitrary code execution in the browser context, enabling the installation of RomCom’s backdoor. The exploit is linked to another Windows vulnerability (CVE-2024-49039), highlighting a sophisticated attack chain that requires no user interaction. Mozilla promptly patched the vulnerabilities, demonstrating effective incident response.
#RomCom #ZeroDay #MozillaVulnerability
ESET researchers have uncovered a critical zero-day vulnerability (CVE-2024-9680) in Mozilla products, exploited by the Russia-aligned group RomCom. This vulnerability allows arbitrary code execution in the browser context, enabling the installation of RomCom’s backdoor. The exploit is linked to another Windows vulnerability (CVE-2024-49039), highlighting a sophisticated attack chain that requires no user interaction. Mozilla promptly patched the vulnerabilities, demonstrating effective incident response.
#RomCom #ZeroDay #MozillaVulnerability
Keypoints:
On October 8th, 2024, ESET discovered a zero-day vulnerability in Mozilla products exploited in the wild.
The vulnerability, CVE-2024-9680, is a use-after-free bug in Firefox’s animation timeline feature.
Mozilla patched the vulnerability on October 9th, 2024.
A second zero-day vulnerability in Windows (CVE-2024-49039) was also identified, allowing code execution outside of Firefox’s sandbox.
RomCom’s backdoor was delivered through successful exploitation of these vulnerabilities.
RomCom targets various sectors, including government and pharmaceutical industries, for espionage and cybercrime.
The exploit chain involves a fake website redirecting victims to a server hosting the exploit.
Mozilla and Microsoft released patches for the vulnerabilities shortly after their discovery.
MITRE Techniques
Initial Access (T1189): Drive-by Compromise – RomCom compromises victims through a user visiting a website hosting an exploit.
Execution (T1053.005): Scheduled Task/Job – RomCom creates a scheduled task using RPC to execute the next stage downloader.
Privilege Escalation (T1068): Exploitation for Privilege Escalation – RomCom exploits a vulnerability to escape the Firefox sandbox.
Defense Evasion (T1622): Debugger Evasion – The RomCom backdoor detects debuggers by registering an exception handler.
Credential Access (T1555.003): Credentials from Password Stores – The RomCom backdoor collects passwords, cookies, and sessions using a browser stealer module.
Collection (T1560): Archive Collected Data – The RomCom backdoor stores data in a ZIP archive for exfiltration.
Command and Control (T1071.001): Standard Application Layer Protocol – The RomCom backdoor uses HTTP or HTTPS as a C&C protocol.
Exfiltration (T1041): Exfiltration Over Command-and-Control Channel – The RomCom backdoor exfiltrates data using the HTTPS C&C channel.
Impact (T1565): Data Manipulation – RomCom manipulates systems and steals data.
IoC:
[IP] 194.87.189[.]171
[IP] 178.236.246[.]241
[IP] 62.60.238[.]81
[IP] 147.45.78[.]102
[IP] 46.226.163[.]67
[IP] 62.60.237[.]116
[IP] 62.60.237[.]38
[IP] 194.87.189[.]19
[IP] 45.138.74[.]238
[IP] 176.124.206[.]88
[File Name] utils.js
[File Name] main-tor.js
[File Name] main-128.js
[File Name] main-129.js
[File Name] PocLowIL.dll
[File Name] PocLowIL.dll
Full Research: https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/