Russia-aligned RomCom hackers exploited Firefox and Windows zero-days
Russia-linked hackers exploited two zero-day vulnerabilities in Mozilla and Microsoft products to target victims in Europe and North America, researchers have found.
RomCom, also tracked as Storm-0978, is known for targeting defense and government entities around the world. It engages in both ransomware and espionage activities and is attributed to Russian-speaking threat actors. The group derives its name from the custom malware it has been using since at least 2022.
In their latest campaign, analyzed by the Slovak-based cybersecurity firm ESET, the hackers exploited a serious security flaw in Mozilla’s Firefox browser, tracked as CVE-2024-9680, as well as a vulnerability in Microsoft products for Windows, tracked as CVE‑2024‑49039.
Exploiting the Firefox vulnerability could allow attackers to execute malicious code within the browser’s content process — an environment where web content is loaded and rendered. The exploit requires no user interaction and can be executed over the network with low complexity.
Earlier in October, the Tor anonymity network issued an emergency patch to address this flaw, warning that it could allow attackers to take control of the Tor Browser.
Another vulnerability was found in a Windows tool used to automate tasks such as running scripts or programs at specific times. According to ESET, it could allow the attackers to execute code outside the Firefox and Tor Browser sandboxes. Successful exploitation of the vulnerabilities could allow hackers to infect victims’ devices with the RomCom backdoor, a tool capable of executing commands and downloading additional modules to the victim’s machine.
Both Mozilla and Microsoft have since patched the vulnerabilities.
The hackers deliver their backdoor via a fake website that redirects potential victims to a server hosting the exploit, which then executes the malware, researchers said. While it remains unclear how victims are directed to the fake website, visiting it with a vulnerable browser automatically downloads and runs the malware without requiring any user action.
According to ESET’s analysis, between October and November the majority of potential victims who accessed the exploit-hosting websites were located in Europe and North America. The number of targets varied from a single victim in some countries to as many as 250 in others.
“Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction,” ESET said. “This level of sophistication demonstrates the threat actor’s capability and intent to develop stealthy attack methods.”
RomCom has been actively targeting anti-Russian entities since Moscow’s invasion of Ukraine. Earlier in October, high-profile Ukrainian government entities and unidentified Polish organizations were reportedly targeted with an updated version of the malware.
The goal of these attacks is to establish long-term access to victims' systems and exfiltrate data “of strategic interest.” Researchers have also noted that the hackers may later deploy ransomware on compromised devices to pursue financial gain.
Last year, RomCom-linked hackers targeted Ukraine and its allies ahead of a NATO summit in Lithuania, likely leveraging the event’s high profile to infect guests with malicious software.
RomCom has also been used against Ukrainian military organizations, IT companies, and politicians collaborating with Western nations, according to BlackBerry. Other victims included a U.S.-based healthcare company providing humanitarian aid to Ukrainian refugees receiving medical assistance in the U.S.