ioc[.]one - OSINT Cyber Threat Intelligence Database

RomCom exploits Firefox and Windows zero days in the wild

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Data Manipulation Develop Capabilities Event Triggered Execution Obfuscated Files Or Information Obtain Capabilities Scheduled Task/Job Stage Capabilities
country:	Germany Ukraine
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Data Acquire Infrastructure - T1583 Software Discovery - T1418 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Code Signing - T1553.002 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Component Object Model Hijacking - T1546.015 Credentials From Password Stores - T1555 Credentials From Web Browsers - T1555.003 Credentials From Web Browsers - T1503 Credentials In Files - T1552.001 Data From Local System - T1533 Data Manipulation - T1641 Data Manipulation - T1565 Debugger Evasion - T1622 Develop Capabilities - T1587 Drive-By Compromise - T1456 Encrypted Channel - T1521 Encrypted Channel - T1573 Event Triggered Execution - T1624 Event Triggered Execution - T1546 Execution Guardrails - T1480 Execution Guardrails - T1627 Exploitation For Privilege Escalation - T1404 Exploits - T1587.004 Exploits - T1588.005 Fileless Storage - T1027.011 Financial Theft - T1657 Javascript - T1059.007 Local Email Collection - T1114.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Obtain Capabilities - T1588 Powershell - T1059.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Software Discovery - T1518 Ssh - T1021.004 Stage Capabilities - T1608 Subvert Trust Controls - T1632 Subvert Trust Controls - T1553 System Location Discovery - T1614 Web Protocols - T1071.001 Web Protocols - T1437.001 Unsecured Credentials - T1552 Vulnerabilities - T1588.006 Account Discovery - T1087 Standard Application Layer Protocol - T1071 Man In The Browser - T1185 Code Signing - T1116 Component Object Model Hijacking - T1122 Credentials In Files - T1081 Data From Local System - T1005 Drive-By Compromise - T1189 Email Collection - T1114 Exfiltration Over Command And Control Channel - T1041 Exploitation For Privilege Escalation - T1068 Obfuscated Files Or Information - T1027 Powershell - T1086 Remote Services - T1021 Scheduled Task - T1053 Screen Capture - T1113 Drive-By Compromise Screen Capture Standard Application Layer Protocol

Show in Graph

Common Information

Type	Value
UUID	b3b99eab-31f1-4453-a018-f9cf94604ab9
Fingerprint	bf30d1f06a8ea2a1
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 26, 2024, midnight
Added to db	Nov. 27, 2024, 8:37 p.m.
Last updated	Dec. 19, 2024, 12:05 a.m.
Headline	RomCom exploits Firefox and Windows zero days in the wild
Title	RomCom exploits Firefox and Windows zero days in the wild
Detected Hints/Tags/Attributes	167/4/86

Source URLs

	Redirection	Url
Details	Source	https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/

URL Provider

Details	Provider	Source level domain
Details	welivesecurity.com	www.welivesecurity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	501	✔	WeLiveSecurity	https://www.welivesecurity.com/category/cybercrime,malware,cybersecurity,password,scams,vulnerability,hacking,android-2,ransomware-malware,threat-reports/feed/	2024-08-31 09:08

Attributes

Details	Type	#Events	Value
Details	Domain	5	redircorrectiv.com
Details	Domain	2	correctiv.org
Details	Domain	5	devolredir.com
Details	Domain	4	devolutions.net
Details	Domain	5	redirconnectwise.cloud
Details	Domain	3	connectwise.com
Details	Domain	6	redjournal.cloud
Details	Domain	6	journalctd.live
Details	Domain	6	correctiv.sbs
Details	Domain	6	cwise.store
Details	CVE	130	cve-2023-36884
Details	CVE	88	cve-2024-9680
Details	CVE	80	cve-2024-49039
Details	Domain	5	1drv.us.com
Details	Domain	4371	github.com
Details	Domain	117	eset.com
Details	Domain	1	runner.ad
Details	Domain	1	1drv.us
Details	Email	72	threatintel@eset.com
Details	File	3	main-128.js
Details	File	3	main-129.js
Details	File	4	main-tor.js
Details	File	67	script.js
Details	File	14	utils.js
Details	File	1	animation0.html
Details	File	869	index.html
Details	File	4	loader.cpp
Details	File	2	wptaskscheduler.dll
Details	File	3	schedsvc.dll
Details	File	1174	svchost.exe
Details	File	207	firefox.exe
Details	File	147	conhost.exe
Details	File	24	'.exe
Details	File	1	public.exe
Details	File	1	epublic.exe
Details	File	4	poclowil.dll
Details	File	1312	explorer.exe
Details	File	93	wordpad.exe
Details	Github username	7	monoxgas
Details	sha1	5	abb54c4751f97a9fc1c9598fed1ec9fb9e6b1db6
Details	IPv4	5	194.87.189.171
Details	IPv4	5	178.236.246.241
Details	IPv4	5	62.60.238.81
Details	IPv4	5	147.45.78.102
Details	IPv4	5	46.226.163.67
Details	IPv4	5	62.60.237.116
Details	IPv4	5	62.60.237.38
Details	IPv4	5	194.87.189.19
Details	IPv4	5	45.138.74.238
Details	IPv4	5	176.124.206.88
Details	Mandiant Uncategorized Groups	40	UNC2596
Details	Microsoft Patch Numbers	4	KB5046612
Details	MITRE ATT&CK Techniques	70	T1583
Details	MITRE ATT&CK Techniques	103	T1587.001
Details	MITRE ATT&CK Techniques	12	T1587.004
Details	MITRE ATT&CK Techniques	36	T1588.003
Details	MITRE ATT&CK Techniques	61	T1588.005
Details	MITRE ATT&CK Techniques	111	T1588.006
Details	MITRE ATT&CK Techniques	48	T1608
Details	MITRE ATT&CK Techniques	193	T1189
Details	MITRE ATT&CK Techniques	296	T1053.005
Details	MITRE ATT&CK Techniques	21	T1546.015
Details	MITRE ATT&CK Techniques	218	T1068
Details	MITRE ATT&CK Techniques	61	T1622
Details	MITRE ATT&CK Techniques	49	T1480
Details	MITRE ATT&CK Techniques	9	T1027.011
Details	MITRE ATT&CK Techniques	61	T1553.002
Details	MITRE ATT&CK Techniques	134	T1555.003
Details	MITRE ATT&CK Techniques	93	T1552.001
Details	MITRE ATT&CK Techniques	187	T1087
Details	MITRE ATT&CK Techniques	190	T1518
Details	MITRE ATT&CK Techniques	54	T1614
Details	MITRE ATT&CK Techniques	172	T1021
Details	MITRE ATT&CK Techniques	166	T1560
Details	MITRE ATT&CK Techniques	30	T1185
Details	MITRE ATT&CK Techniques	555	T1005
Details	MITRE ATT&CK Techniques	35	T1114.001
Details	MITRE ATT&CK Techniques	235	T1113
Details	MITRE ATT&CK Techniques	475	T1071.001
Details	MITRE ATT&CK Techniques	80	T1573.002
Details	MITRE ATT&CK Techniques	451	T1041
Details	MITRE ATT&CK Techniques	35	T1565
Details	MITRE ATT&CK Techniques	18	T1657
Details	Microsoft Threat Actor Naming Taxonomy (Groups in development)	97	Storm-0978
Details	Url	1	https://github.com/monoxgas/srdi/blob/master/native/loader.cpp#l367
Details	Url	2	https://journalctd.live/jfwb4orqplh