RomCom’s Advanced CyberAttacks: Exploiting Windows and Firefox Vulnerabilities

by | Nov 26, 2024 | Data breaches and hacks, Uncategorized

Key Details:


A cybercriminal group known as RomCom has used previously unknown vulnerabilities—referred to as zero-days—in Firefox and Windows to launch attacks. These vulnerabilities allowed them to install a backdoor called RomCom RAT on victims’ systems without any user action.

What Are the Vulnerabilities?

Two specific issues were exploited:

  • CVE-2024-9680 (Severity: 9.8): A problem in Firefox’s Animation feature. Mozilla fixed this in October 2024.
  • CVE-2024-49039 (Severity: 8.8): A privilege escalation flaw in Windows Task Scheduler. Microsoft addressed this in November 2024.

If left unpatched, these flaws could let attackers execute harmful code and take control of systems.

How the Attack Works

RomCom, also known by other names like Storm-0978 and Void Rabisu, has been active since 2022, targeting victims with malware and espionage operations. The group used a fake website, economistjournal[.]cloud, to lure users. Once a user visited the site with an outdated Firefox browser, the attack was triggered.

Here’s what happened next:

  1. Exploitation: The flaws in Firefox and Windows were combined to break through security layers.
  2. Payload Delivery: The malicious program, RomCom RAT, was downloaded and installed.
  3. Privilege Escalation: The Windows Task Scheduler flaw allowed attackers to gain higher system permissions, ensuring deeper control.

ESET, a cybersecurity company, uncovered the attack chain and reported that most victims were located in Europe and North America.

Why It Matters

RomCom’s ability to string together two zero-days is a reminder of how dangerous these flaws can be. Attacks like these don’t require victims to click anything—just visiting the wrong website is enough.

Google’s Threat Analysis Group also found the Windows Task Scheduler flaw independently, hinting that other hackers might be exploiting it too. This is not the first time RomCom has used a zero-day. In June 2023, they abused a Microsoft Word vulnerability (CVE-2023-36884) in a similar way.

What You Can Do

  • Update Your Software: Ensure Firefox and Windows are up to date with the latest patches.
  • Be Cautious Online: Avoid clicking on suspicious links or visiting unknown websites.
  • Use Security Tools: Antivirus and endpoint protection tools can help detect unusual behavior.

Cyber threats are evolving. Staying informed and proactive can protect you from becoming the next target.

Cookie Consent with Real Cookie Banner