RomCom – Firefox and Windows Exec Duo

Subject: RomCom – Firefox and Windows Exec Duo

Tactics: TA0011 Command and Control, TA0002 Execution, TA0001 Initial Access, TA0004 Privilege Escalation

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1543.003 Create or Modify System Process: Windows Service, T1189 Drive-by Compromise, T1190 Exploit Public-Facing Application, T1068 Exploitation for Privilege Escalation

Procedure:

T1189 – RomCom actors created a fake website that redirects the potential victim to a server hosting exploits for a Firefox zero-day vulnerability (CVE-2024-9680) and a Windows zero-day vulnerability (CVE-2024-49039). The exploit chain requires no user interaction; if a victim using a vulnerable browser visits the fake website, the vulnerabilities are triggered, and the RomCom backdoor is installed on the victim’s computer.

T1190 – The attackers exploit a use-after-free vulnerability (CVE-2024-9680) in the Firefox browser to gain initial code execution within the browser’s sandboxed environment.

T1068 – After gaining code execution in the browser, the attackers leverage a Windows vulnerability (CVE-2024-49039) to escape the Firefox sandbox and gain elevated privileges on the victim’s system.

T1059.003 – The attackers execute PowerShell code to download and execute the next stage of the attack, which includes the RomCom backdoor.

T1543.003 – A scheduled task named “firefox.exe” is created to maintain persistent access to the compromised system. This task executes the RomCom backdoor at regular intervals.

T1071.001 – The RomCom backdoor communicates with its command-and-control (C2) server using HTTPS, allowing the attackers to remotely control the compromised system.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0008 When adversaries maintain drive-by sites, they provide a pathway for beginning engagements and may be unable to differentiate real from deceptive victims.

Engagement Opportunity:

Honeypot: Set up a honeypot designed to mimic a typical user’s browsing environment, complete with intentionally vulnerable versions of Firefox and Windows. Monitor the honeypot for signs of compromise, allowing for the capture of the exploit code and analysis of RomCom’s post-exploitation activities.
Decoy Documents: Place decoy documents within the honeypot environment that appear to be valuable targets for an espionage operation. This can help in understanding RomCom’s intelligence collection priorities and tactics.
Controlled Exploitation: Allow the attackers limited access to non-critical systems within the honeypot to study their tools, techniques, and procedures (TTPs) in a controlled environment.

Threat Actor: RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596)

Threat Objective:

The objective varies depending on the campaign. RomCom conducts both opportunistic campaigns against businesses for financial gain and targeted espionage operations against government entities and critical infrastructure. In this specific campaign, the purpose remains unknown.

Deception Opportunity:

False Flag: Create a fake persona or organization within the honeypot environment that appears to possess information of interest to RomCom, but is actually a fabrication.
Misinformation: Seed the honeypot environment with misleading information or fabricated data to observe how RomCom collects, analyzes, and potentially utilizes such data. This can help in understanding their intelligence gathering and decision-making processes.
Delayed Response: Intentionally delay response actions to observe RomCom’s persistence mechanisms, lateral movement attempts, and overall campaign objectives over a more extended period.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The exploit code is specific to the tools RomCom uses, while the undocumented RPC endpoint is tied to a specific way of carrying out privilege escalation in Windows. Both are relatively difficult for the attacker to alter without impacting the effectiveness of their attack.

Link to Report: https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/

Link to Report II.:

Additional Comments:

The use of two zero-day exploits, one for a popular web browser and another for the underlying operating system, demonstrates the increasing sophistication and determination of RomCom. The group’s ability to quickly adapt and develop new capabilities poses a significant threat to both individuals and organizations.

Possible elements:

MSG (Pseudocode):

# Malicious Sub-Graph for RomCom Attack

[1]: Initial Access (TA0001) - Drive-by Compromise (T1189) - Redirect to fake website hosting Firefox and Windows exploits (Core to Adversary-Brought Tool)[1]
[2]: Exploitation for Privilege Escalation (TA0004) - Exploit Public-Facing Application (T1190) - Exploit Firefox vulnerability (CVE-2024-9680) to gain code execution in the browser (Core to Adversary-Brought Tool)
[3]: Exploitation for Privilege Escalation (TA0004) - Exploitation for Privilege Escalation (T1068) - Exploit Windows vulnerability (CVE-2024-49039) to escape Firefox sandbox and gain elevated privileges (Core to Some Implementations of (Sub-)Technique)
[4:] Execution (TA0002) - Command and Scripting Interpreter: Windows Command Shell (T1059.003) - Execute PowerShell code to download and execute next stage (Core to Pre-Existing Tool)
[5]: Persistence (TA0003) - Create or Modify System Process: Scheduled Task/Job (T1543.003) - Create scheduled task named "firefox.exe" to maintain persistent access (Core to Some Implementations of (Sub-)Technique)
[6]: Command and Control (TA0011) - Application Layer Protocol: Web Protocols (T1071.001) - Communicate with C2 server using HTTPS (Core to Sub-Technique or Technique)

1 --> 2 (Unpatched Vulnerability)
2 --> 3 (Unpatched Vulnerability)
3 --> 4 (Exploitation of Security Control Misconfiguration)
4 --> 5 (Lack of System Monitoring)
5 --> 6 (Lack of Network Monitoring)

# Pseudocode for RomCom Attack

function Initial_Access_Drive-by_Compromise(target_user):
# Create fake website with redirect to exploit server
# Lure target_user to the fake website
return exploit_code

function Exploitation_for_Privilege_Escalation_Exploit_Public-Facing_Application(exploit_code):
# Exploit Firefox vulnerability (CVE-2024-9680)
return sandbox_escape_code

function Exploitation_for_Privilege_Escalation_Exploitation_for_Privilege_Escalation(sandbox_escape_code):
# Exploit Windows vulnerability (CVE-2024-49039)
return elevated_privileges

function Execution_Command_and_Scripting_Interpreter(elevated_privileges):
# Execute PowerShell code to download next stage
return persistence_payload

function Persistence_Create_or_Modify_System_Process(persistence_payload):
# Create scheduled task named "firefox.

RomCom – Firefox and Windows Exec Duo

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense