The Russian cybercrime group RomCom has been linked to a series of cyberattacks launched across the world. The notorious hackers are chaining two Firefox and Windows flaws to deliver a backdoor and compromise vulnerable systems.
The two zero-days involved in this attack are CVE-2024-9680 (CVSS score: 9.8), a use-after-free flaw in Firefox’s Animation component, and CVE-2024-49039 (CVSS score: 8.8), a privilege escalation vulnerability in Windows Task Scheduler. Both vulnerabilities have already been patched.
Technical Details: Zero-Days
CVE-2024-9680 – Use-after-free
The HTML iframe ‘animation0.html’ loaded by the exploit creates four animation elements, handled by an AnimationTimeline object. When the getter function cancels an animation element, it is set to null to free it. Parallelly, the Tick function iterates over aspects of the AnimationTimeline, appending the ones that need to be moved to a local array called animationsToRemove. This could result in the current animation object being freed, leading to the handling of a dangling pointer.
The exploit code uses heap management to control which objects replace the freed animations, and then calls the getInfo function, leaking properties of ImageData objects. It then leaks the address of a JavaScript object and exploits the Firefox JIT compiler to run the initial shellcode component within the context of a content process.
The initial shellcode called the egg-hunting shellcode, locates the second shellcode in memory by searching for a hardcoded magic value, 0x8877665544332211. It then modifies the memory protection of the identified address to read-write-execute (RWX) and executes the code stored there.
The second shellcode, called the reflective loader shellcode, loads an embedded library designed solely to bypass the restrictions of Firefox’s sandboxed content process. We’ll talk more about this library while describing the second zero-day.
CVE-2024-49039 – Privilege escalation
The aforementioned library, named PocLowIL by its developers and identified by SHA1 hash ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6, enables a sandbox escape, elevating privileges from the untrusted content process level to a medium integrity level.
The sandbox escape code within the library makes use of the lack of restrictions imposed on the security descriptor applied to an undocumented RPC endpoint. The descriptor is of the form D:P(A;;GA;;;S-1-15-2-1)(A;;GA;;;WD, which allows anyone to interact with the RPC interface and call its procedures no matter what their integrity level is.
The threat actor exploited this flaw by creating a task named firefox.exe that launches conhost.exe, used to hide the child process window. The subsequent PowerShell script retrieves an executable from https://journalctd[.]live/JfWb4OrQPLh, saves it in the %PUBLIC% folder as public.exe, and executes it. Ten seconds later, the file is renamed to epublic.exe and executed again.
Technical Details: Exploit Chain
This attack is particularly dangerous because it’s zero-click; all a user has to do is visit a web page that contains the exploit, and an attacker can run arbitrary code to install the backdoor without any user interaction.
The chain starts off with the distribution of a fake website called economistjournal[.]cloud (do not try to access it) which redirects users to another website, redjournal[.]cloud. The method of distribution is currently unknown. This site contains the exploit code and drops malware known as the RomCom RAT into the user’s system. A final redirection is performed that takes the user back to the original website to avoid raising suspicion.
About RomCom
RomCom, a Russia-linked hacker group, also goes by the names Storm-0978, Tropical Scorpius, and UNC2596. They are known for their espionage operations, spreading RomCom RAT, and maintaining backdoors on affected systems. Some of their campaigns have been financially motivated; they have spread ransomware, stolen credentials,s and extorted victims.
In July 2023, RomCom leveraged another zero-day vulnerability (CVE-2023-36884) in various Windows and Office products to target organizations participating in the NATO Summit in Vilnius, Lithuania.
Products Affected
- Mozilla Firefox
- Tor Browser
- Windows Task Scheduler
Impact
RomCom RAT can steal user data, execute commands, and download new modules on affected systems.
Between October 10, 2024, and November 4, 2024, most potential victims who accessed websites hosting the exploit were located in Europe and North America. The number of potential targets ranged from a single individual per country to as many as 250.
Solutions
CVE-2024-9680 was patched in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1, and Tor 13.5.7. By using reference-counting pointers, the animations are prevented from being freed, since AnimationTimeline::Tick will still hold a reference to them.
CVE-2024-49039 was patched in version 10.0.19041.5129 released with KB5046612, and uses a more complex security descriptor, D:(A;;GRGWGX;;;SY)(A;;GRGWGX;;;LS)(A;;GR;;;NS)(A;;GR;;;IU)S:(ML;;NWNXNR;;;ME), which prevents privilege escalation.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.
