Russian APT RomCom combines Firefox and Windows zero-day flaws in drive-by exploit – Source: www.csoonline.com

A Russia-aligned group that engages in both cybercrime and cyberespionage operations used a zero-click exploit chain last month that combined previously unknown and unpatched vulnerabilities in Firefox and Windows.

The campaign, whose goal was to deploy the group’s RomCom backdoor on computers, targeted users from Europe and North America. The APT group, also known as Storm-0978, Tropical Scorpius, and UNC2596 uses both opportunistic attacks against various business sectors, as well as targeted intelligence collection operations, especially against government entities from Ukraine and countries that support Ukraine.

This year, researchers from antivirus vendor ESET detected RomCom campaigns against the government, defense, and energy sectors in Ukraine, the pharmaceutical and insurance sectors in the US, the legal sector in Germany, and various European government organizations. The latest campaign in October that used the zero-day exploit seemed to have a worldwide distribution, with a particular focus on the EU and the US.

“This is at least the second time that RomCom has been caught exploiting a significant zero-day vulnerability in the wild, after the abuse of CVE-2023-36884 via Microsoft Word in June 2023,” the ESET researchers said in a report this week.

Exploit uses a Firefox remote code execution flaw

The latest attacks were launched via rogue website redirects against users of Firefox or Tor Browser (which is based on Firefox) on Windows. While it’s not clear how users were directed to the attacker-controlled URLs, the domains serving the exploit included the prefix redir or suffix red attached to a legitimate domain that the user was eventually redirected to.

Some examples include correctiv.org, a German non-profit news site; devolutions.net, a remote access and password management solutions provider; and connectwise.com, an MSP and IT management software provider.

When visiting the redirect page, a malicious JavaScript script is executed that exploits a use-after-free memory vulnerability in the Firefox animation timelines feature. The flaw, now tracked as CVE-2024-9680, was patched on Oct. 9, one day after the ESET researchers reported it to Mozilla. The vulnerability is rated critical with a score of 9.8 and results in code execution inside the Firefox content process, namely a malicious DLL library in this case.

“Mozilla patched the vulnerability in Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1 on October 9, 2024,” the ESET researchers said. “Essentially, the pointers to the animation objects handled by the timeline are now implemented through reference-counting pointers (RefPtr), as suggested by the diff, which prevents the animations from being freed, since AnimationTimeline::Tick will still hold a reference to them.”

A privilege escalation flaw in Windows Task Scheduler

The Firefox content process is sandboxed, having an untrusted privilege level, which means that the attackers couldn’t execute code on the underlying operating system with just the Firefox vulnerability alone.

To escape the process sandbox, the RomCom attack exploited another previously unknown vulnerability in the Windows Task Scheduler that was patched on Nov. 12 and is now tracked as CVE-2024-49039.

“Essentially, the library makes use of an undocumented RPC endpoint, which should not have been callable from an untrusted process level, to launch a hidden PowerShell process that downloads a second stage from a C&C server,” the ESET researchers said.

In particular the RPC (Remote Procedure Call) endpoint is used to create a scheduled task named firefox.exe that is configured to launch conhost.exe in headless mode in order to hide the child process window. This results in privilege escalation to medium integrity allowing the sandbox escape.

The second stage payload downloaded by the PowerShell script is saved in the %PUBLIC% folder as public.exe and is executed twice, with a 10-second delay. The ESET report includes a list of indicators of compromise, such as file hashes, IP addresses and rogue domain names, associated with this campaign and zero-click exploit.

“This level of sophistication shows the threat actor’s will and means to obtain or develop stealthy capabilities,” the researchers said. “ESET shared detailed findings with Mozilla, following our coordinated vulnerability disclosure process shortly after discovery. Mozilla released a blog post about how they reacted to the disclosure and were able to release a fix within 25 hours, which is very impressive in comparison to industry standards.”