| Aspect | Details |
|---|---|
| Threat Actors | RomCom, suspected ties to Russia, also known as Tropical Scorpius, Storm-0978, or UNC2596. |
| Campaign Overview | Exploited zero-day vulnerabilities (CVE-2024-9680 & CVE-2024-49039) to deploy RomCom backdoor via zero-click exploits. |
| Target Regions (Or Victims) | Primarily Europe and North America, with up to 250 affected targets between October 10 – November 4, 2024. |
| Methodology | Fake domains, zero-click exploits, privilege escalation, and stealthy redirection via malicious websites. |
| Product Targeted | Mozilla Firefox, Thunderbird, Tor browsers, and Microsoft Windows Task Scheduler. |
| Malware Reference | RomCom backdoor |
| Tools Used | Fake domains (e.g., redircorrectiv[.]com), Reflective DLL Injection, C2 servers like journalctd[.]live. |
| Vulnerabilities Exploited | CVE-2024-9680 (Use-After-Free in Firefox), CVE-2024-49039 (Elevation of Privilege in Windows Task Scheduler). |
| TTPs | Phishing domains, zero-click exploit chain, DLL injection, and system compromise via backdoor. |
| Attribution | RomCom threat group, suspected Russian ties. |
| Recommendations | Monitor for IOCs, use SOCRadar’s Vulnerability Intelligence to track CVEs, and implement Brand Protection for domain detection. |
| Source | SOCRadar |
Read full article: https://socradar.io/romcom-backdoor-attacks-mozilla-and-windows/
Disclaimer: The above summary has been generated by an AI language model
Leave a Reply