Summary:
ESET researchers have uncovered a critical zero-day vulnerability (CVE-2024-9680) in Mozilla products, exploited by the Russia-aligned group RomCom. This vulnerability allows arbitrary code execution in the browser context, enabling the installation of RomCom’s backdoor. The exploit is linked to another Windows vulnerability (CVE-2024-49039), highlighting a sophisticated attack chain that requires no user interaction. Mozilla promptly patched the vulnerabilities, demonstrating effective incident response.
#RomCom #ZeroDay #MozillaVulnerability
ESET researchers have uncovered a critical zero-day vulnerability (CVE-2024-9680) in Mozilla products, exploited by the Russia-aligned group RomCom. This vulnerability allows arbitrary code execution in the browser context, enabling the installation of RomCom’s backdoor. The exploit is linked to another Windows vulnerability (CVE-2024-49039), highlighting a sophisticated attack chain that requires no user interaction. Mozilla promptly patched the vulnerabilities, demonstrating effective incident response.
#RomCom #ZeroDay #MozillaVulnerability
Keypoints:
- On October 8th, 2024, ESET discovered a zero-day vulnerability in Mozilla products exploited in the wild.
- The vulnerability, CVE-2024-9680, is a use-after-free bug in Firefox’s animation timeline feature.
- Mozilla patched the vulnerability on October 9th, 2024.
- A second zero-day vulnerability in Windows (CVE-2024-49039) was also identified, allowing code execution outside of Firefox’s sandbox.
- RomCom’s backdoor was delivered through successful exploitation of these vulnerabilities.
- RomCom targets various sectors, including government and pharmaceutical industries, for espionage and cybercrime.
- The exploit chain involves a fake website redirecting victims to a server hosting the exploit.
- Mozilla and Microsoft released patches for the vulnerabilities shortly after their discovery.
MITRE Techniques
- Initial Access (T1189): Drive-by Compromise – RomCom compromises victims through a user visiting a website hosting an exploit.
- Execution (T1053.005): Scheduled Task/Job – RomCom creates a scheduled task using RPC to execute the next stage downloader.
- Privilege Escalation (T1068): Exploitation for Privilege Escalation – RomCom exploits a vulnerability to escape the Firefox sandbox.
- Defense Evasion (T1622): Debugger Evasion – The RomCom backdoor detects debuggers by registering an exception handler.
- Credential Access (T1555.003): Credentials from Password Stores – The RomCom backdoor collects passwords, cookies, and sessions using a browser stealer module.
- Collection (T1560): Archive Collected Data – The RomCom backdoor stores data in a ZIP archive for exfiltration.
- Command and Control (T1071.001): Standard Application Layer Protocol – The RomCom backdoor uses HTTP or HTTPS as a C&C protocol.
- Exfiltration (T1041): Exfiltration Over Command-and-Control Channel – The RomCom backdoor exfiltrates data using the HTTPS C&C channel.
- Impact (T1565): Data Manipulation – RomCom manipulates systems and steals data.
IoC:
- [IP] 194.87.189[.]171
- [IP] 178.236.246[.]241
- [IP] 62.60.238[.]81
- [IP] 147.45.78[.]102
- [IP] 46.226.163[.]67
- [IP] 62.60.237[.]116
- [IP] 62.60.237[.]38
- [IP] 194.87.189[.]19
- [IP] 45.138.74[.]238
- [IP] 176.124.206[.]88
- [File Name] utils.js
- [File Name] main-tor.js
- [File Name] main-128.js
- [File Name] main-129.js
- [File Name] PocLowIL.dll
- [File Name] PocLowIL.dll
Full Research: https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/