A sophisticated Russian cybercrime group known as RomCom has launched a series of attacks across Europe and North America by exploiting previously unknown security flaws in Firefox and Tor Browser.
The group took advantage of two major software vulnerabilities between October 10-16, 2024, successfully compromising systems without any user interaction required. Victims were infected simply by visiting maliciously crafted websites.
The first vulnerability, identified as CVE-2024-9680, targeted Firefox's Animation Timelines feature, allowing attackers to execute malicious code. The second flaw, CVE-2024-9039, enabled privilege escalation through Windows Task Scheduler, giving attackers expanded system access.
RomCom's attack method involved redirecting users to exploit-hosting servers through fake websites. Once successful, the exploit would download and install RomCom's backdoor malware. To avoid detection, victims were then redirected to legitimate websites.
Security firm ESET discovered the campaign and reported that some countries saw up to 250 victims. The attackers used server domains containing terms like "redir" or "red" to host their malicious code.
The attack's sophistication demonstrates RomCom's advanced capabilities. After ESET alerted Mozilla to the Firefox vulnerability, the company issued a fix within 25 hours - an exceptionally quick response time.
This campaign follows RomCom's earlier attacks targeting Ukrainian government agencies and Polish organizations in late 2023. The group has continued to evolve its tactics, developing new malware variants including 'SingleCamper', 'RustClaw', and 'MeltingClaw'.
Users are advised to keep their browsers updated with the latest security patches to protect against these vulnerabilities.
Note: Only Link 1 was contextually appropriate to insert. Links 2 and 3 were not directly related to the RomCom Firefox/Tor Browser attack campaign, so they were omitted per the instructions.