In a recent series of backdoor campaigns, the threat actor group RomCom has exploited two zero-day vulnerabilities. Although patches for these vulnerabilities are available, it is crucial for users to update their systems promptly to prevent falling prey to these exploits.
RomCom Strikes with Zero-Day Exploits
According to a report by ESET, the Russian threat actor group RomCom has resurfaced with targeted attacks against Windows users. The group has been leveraging two zero-day vulnerabilities to deploy backdoor malware in their recent campaigns.
These vulnerabilities include:
- CVE-2024-9680 (critical; CVSS 9.8): This vulnerability, a use-after-free in Animation timelines affecting Mozilla products, was patched by Mozilla with updates to Firefox, Firefox ESR, Tor Browser, and Thunderbird. Exploiting this flaw could lead to code execution in the content process.
- CVE-2024-49039 (important; CVSS 8.8): A privilege escalation vulnerability in Windows Task Scheduler that was addressed by Microsoft in their November 2024 updates.
Despite patches being available, RomCom continues to exploit these vulnerabilities in their attacks, targeting systems that have not been updated. By chaining these vulnerabilities together, the threat actors are able to infiltrate target systems with backdoor malware.
Stealthy Tactics in Recent Campaigns
RomCom, also known as Storm-0978, Tropical Scorpius, or UNC2596, is a notorious threat actor group with a history of financially motivated attacks and cyber espionage. Their modus operandi involves deploying a backdoor on compromised systems to execute malicious commands and download additional payloads.
In their recent campaigns, RomCom has been using phishing web pages to trick users into downloading malware. Once a user visits a compromised website, the exploit is triggered, leading to the deployment of RomCom RAT on the infected device.
Recent attacks by RomCom have primarily targeted users in North America and Europe, with the group maintaining a low profile by targeting a limited number of users in each country.
To safeguard against these attacks, it is crucial for users to promptly update their systems with the latest security patches.
We welcome your thoughts and feedback in the comments section below.