RomCom, a Russian-linked hacker gang, is targeting Firefox browser users and Windows device owners in Europe and North America with two new zero-day vulnerabilities
RomCom is a cybercrime organization that is recognized for conducting cyberattacks and other digital intrusions on behalf of the Russian government.
The organization, which was connected to a ransomware attack against Japanese technology giant Casio last month, is also recognized for its aggressive approach toward organizations that are affiliated with Ukraine, which was invaded by Russia in 2014.
According to researchers from the security firm ESET, they discovered evidence that RomCom combined the use of two zero-day bugs—which were so named because the software manufacturers could not release fixes before they were exploited to hack individuals—to develop a “zero-click” exploit.
This exploit enables the hackers to remotely install malware on a target’s computer without user interaction.
In a blog post published on Monday, ESET researchers Damien Schaeffer and Romain Dumont stated that the threat actor’s capability and intent to devise stealthy attack methods are demonstrated by this level of sophistication.
In order to activate the zero-click exploit, RomCom’s targets would be required to access a malicious website under the control of the hacking group. After being exploited, the victim’s computer would be infected with RomCom’s eponymous backdoor, granting them extensive access to their device.
According to Schaeffer, the number of potential victims from RomCom’s “widespread” hacking campaign varied from a single victim per country to as many as 250 victims, with the majority of targets located in Europe and North America.
On October 9, Mozilla addressed the vulnerability in Firefox, one day following ESET’s notification to the browser manufacturer. The vulnerability was also patched by the Tor Project, which develops the Tor Browser on Firefox’s codebase.
However, Schaeffer informed TechCrunch that ESET has not observed any evidence that the Tor Browser was exploited during this malware campaign.
On November 12, Microsoft addressed the vulnerability that affected Windows. The exploit may have been employed in other government-backed hacking campaigns, as security researchers from Google’s Threat Analysis Group, which investigates government-backed cyberattacks and threats, disclosed the bug to Microsoft.
