DarkCrystal RAT aka DCRat – Active IOCs
November 26, 2024Multiple Microsoft Windows Vulnerabilities
November 26, 2024DarkCrystal RAT aka DCRat – Active IOCs
November 26, 2024Multiple Microsoft Windows Vulnerabilities
November 26, 2024Severity
High
Analysis Summary
The Russia-aligned threat actor known as RomCom has been linked to the exploitation of two zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows, enabling the delivery of its backdoor malware. These vulnerabilities are:
- CVE-2024-9680 (CVSS score: 9.8): A use-after-free flaw in Firefox's Animation component, patched in October 2024.
- CVE-2024-49039 (CVSS score: 8.8): A privilege escalation issue in Windows Task Scheduler, patched in November 2024.
Researchers revealed that these flaws were weaponized in attacks requiring no user interaction, or "zero-click" exploits. Victims browsing malicious websites with vulnerable Firefox versions triggered the flaws, resulting in the deployment of the RomCom RAT (Remote Access Trojan). The malware is capable of executing commands, downloading additional modules, and maintaining long-term access on compromised systems.
The attack chain involved a fake website (economistjournal[.]cloud) that redirected victims to another server (redjournal[.]cloud) hosting the malicious payload. Exploiting the Firefox vulnerability allowed attackers to escape the browser’s sandbox, a feat achieved by using a specially crafted library called "PocLowIL." The Windows Task Scheduler flaw was then leveraged to gain elevated privileges and complete the infection chain.
The shellcode executed during the attack consisted of two parts: one retrieving the second from memory and marking the pages as executable, while the second used a PE loader based on the Shellcode Reflective DLL Injection (RDI) open-source project.
Researchers observed victims in Europe and North America visiting the exploit-hosting site, indicating targeted efforts. Google's Threat Analysis Group (TAG) independently reported CVE-2024-49039 to Microsoft, suggesting that more than one threat actor may have exploited the vulnerability.
This is the second time RomCom has exploited zero-days, following the abuse of CVE-2023-36884 via Microsoft Word in June 2023. Researchers highlighted the sophistication of chaining two zero-days, demonstrating the group’s capability to develop or acquire advanced, stealthy tools.
Impact
- Unauthorized Access
- Privilege Escalation
- Cyber Espionage
Indicators of Compromise
Domain Name
- journalctd.live
- cwise.store
- redircorrectiv.com
- devolredir.com
- redirconnectwise.cloud
- redjournal.cloud
- economistjournal.cloud
IP
- 46.226.163.67
- 45.138.74.238
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.