The attacker may have used the malware to check for antivirus-related processes running in the system.
Tag: T1068
Exploitation of Firefox and Windows zero-day vulnerabilities
The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.
RomCom – Firefox and Windows Exec Duo
T1189 – RomCom actors created a fake website that redirects the potential victim to a server hosting exploits for a Firefox zero-day vulnerability (CVE-2024-9680) and a Windows zero-day vulnerability (CVE-2024-49039). The exploit chain requires no user interaction; if a victim using a vulnerable browser visits the fake website, the vulnerabilities are triggered, and the RomCom backdoor is installed on the victim’s computer.
T1190 – The attackers exploit a use-after-free vulnerability (CVE-2024-9680) in the Firefox browser to gain initial code execution within the browser’s sandboxed environment.
T1068 – After gaining code execution in the browser, the attackers leverage a Windows vulnerability (CVE-2024-49039) to escape the Firefox sandbox and gain elevated privileges on the victim’s system.
T1059.003 – The attackers execute PowerShell code to download and execute the next stage of the attack, which includes the RomCom backdoor.
T1543.003 – A scheduled task named “firefox.exe” is created to maintain persistent access to the compromised system. This task executes the RomCom backdoor at regular intervals.
T1071.001 – The RomCom backdoor communicates with its command-and-control (C2) server using HTTPS, allowing the attackers to remotely control the compromised system.