- Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and provides all the tools necessary to deploy a payload
- TAG became aware of the Heliconia framework when Google received an anonymous submission to the Chrome bug reporting program.
- TAG analyzed the submissions and found they contained frameworks for deploying exploits in the wild.
Google‘s Threat Analysis Group, which has been tracking the activities of commercial spyware vendors, shared its findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain. The company claims to provide custom security solutions to its customers. Google stated that Variston IT’s Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. The company also provides the necessary tools allowing users to deploy payloads to target devices.
Spyware vendor
The affected vulnerabilities were patched in 2021 and early 2022 by Google, Microsoft, and Mozilla. Google didn’t detect active exploitation but it seems like these were utilized as zero-days in the wild. Google’s team also created detections in Safe Browsing, which helps users by warning them when visiting a dangerous site or downloading dangerous files.
The Threat Analysis Group noticed the framework after receiving anonymous submissions to its bug reporting program. The submitter provided instructions and an archive that contained source code for three bugs. The submitter used unique names in the bug reports including, “Heliconia Noise,” “Heliconia Soft” and “Files.” The analysis showed that it contained frameworks for deploying exploits in the wild along with a script in the source code that points to the possible creator of the frameworks, Variston IT.
- Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
- Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
- Files: a set of Firefox exploits for Linux and Windows.
Heliconia Noise is a web framework that deploys a Chrome renderer exploit, which is followed by a Chrome sandbox escape and agent installation. The framework runs a Flask web server to host the exploit chain. A full infection performs requests to six different web endpoints during the different stages of the exploit chain:
Stage 1: Remote code execution (RCE)
- index.py: the landing page
- iframe.py: the iframe that runs the RCE exploit
- wasm.py: a dummy WebAssembly (Wasm) module
Stage 2: Sandbox escape
- sbx.py: the sandbox escape shellcode
Stage 3: Post-exploitation
- launcher.py: the agent launcher
- agent.py: the agent
Google said,
« TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry. »