Press ESC to close

RomCom Backdoor Attacks Use Zero-Day Exploits in Mozilla and Windows (CVE-2024-9680 & CVE-2024-49039)

AspectDetails
Threat ActorsRomCom, suspected ties to Russia, also known as Tropical Scorpius, Storm-0978, or UNC2596.
Campaign OverviewExploited zero-day vulnerabilities (CVE-2024-9680 & CVE-2024-49039) to deploy RomCom backdoor via zero-click exploits.
Target Regions (Or Victims)Primarily Europe and North America, with up to 250 affected targets between October 10 – November 4, 2024.
MethodologyFake domains, zero-click exploits, privilege escalation, and stealthy redirection via malicious websites.
Product TargetedMozilla Firefox, Thunderbird, Tor browsers, and Microsoft Windows Task Scheduler.
Malware ReferenceRomCom backdoor
Tools UsedFake domains (e.g., redircorrectiv[.]com), Reflective DLL Injection, C2 servers like journalctd[.]live.
Vulnerabilities ExploitedCVE-2024-9680 (Use-After-Free in Firefox), CVE-2024-49039 (Elevation of Privilege in Windows Task Scheduler).
TTPsPhishing domains, zero-click exploit chain, DLL injection, and system compromise via backdoor.
AttributionRomCom threat group, suspected Russian ties.
RecommendationsMonitor for IOCs, use SOCRadar’s Vulnerability Intelligence to track CVEs, and implement Brand Protection for domain detection.
SourceSOCRadar

Read full article: https://socradar.io/romcom-backdoor-attacks-mozilla-and-windows/

Disclaimer: The above summary has been generated by an AI language model

Leave a Reply

Your email address will not be published. Required fields are marked *