Spyware Vendor’s Heliconia Framework Exploits Browser Vulnerabilities
A company in Barcelona that purports to offer custom security solutions is tied to exploitation frameworks that can deploy spyware.
Variston IT’s “Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022,” the Google Threat Analysis Group (TAG) wrote in a blog post. “While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild.”
As a result of these findings, “TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files,” the post noted. “To ensure full protection against Heliconia and other exploits, it’s essential to keep Chrome and other software fully up-to-date.”
TAG first became aware of the framework after someone anonymously made a submission to the Google Chrome bug reporting program. “The submitter filed three bugs, each with instructions and an archive that contained source code. They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’ and ‘Files,’” the researchers wrote. “TAG analyzed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.”
The three exploitation frameworks “included mature source code capable of deploying exploits for Chrome, Windows Defender and Firefox,” and have since been patched. Nevertheless, “it is likely the exploits were used as zero-days before they were fixed,” TAG wrote.
Researchers described the frameworks as such:
Heliconia Noise “is a web framework for deploying a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation. A manifest file in the source code provides a product description. The Chrome renderer exploit supports Chrome versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021). It takes advantage of a V8 deoptimizer bug fixed in August 2021. As is currently normal for internally found Chrome bugs, no CVE was assigned.”
Heliconia Soft “is a web framework that deploys a PDF containing a Windows Defender exploit. It exploits CVE-2021-42298, a bug in the JavaScript engine of Microsoft Defender Malware Protection that was fixed in November 2021. The exploit achieves SYSTEM privileges with a single vulnerability and the only action required by the user is to download a PDF, which triggers a scan by Windows Defender.”
Heliconia Files “contained a fully documented Firefox exploit chain for Windows and Linux. For remote code execution, it exploits CVE-2022-26485, a use-after-free vulnerability in the XSLT processor that was reported in March 2022 as being exploited in the wild. TAG assesses that the Heliconia Files package likely exploited this RCE vulnerability since at least 2019, well before the bug was publicly known and patched. The Heliconia exploit is effective against Firefox versions 64 to 68, suggesting it may have been used as early as December 2018 when version 64 was first released. Additionally, when Mozilla patched the vulnerability, the exploit code in their bug report shared striking similarities with the Heliconia exploit, including the same variable names and markers. These overlaps suggest the exploit author is the same for both the Heliconia exploit and the sample exploit code Mozilla shared when they patched the bug.”
Noting that “commercial spyware vendors can be problematic,” Mike Parkin, senior technical engineer at Vulcan Cyber, explained, “They can operate in something of a gray area of the law, where their official clients are agencies that may not be subject to common privacy laws. Police and State level Intelligence agencies, for example, are often allowed exceptions that let them use the tools commercial spyware vendors provide.” But the intent is not all bad, nor are the vendors without usefulness.
“While the legality and ethics of these vendors is debatable, they do provide a service that legitimate agencies may require to fulfill their mandates,” said Parkin. “The challenge is when these vendors are not careful about who they sell their services to or when their products damage the targets. While most people wouldn’t be too concerned if a known criminal were impacted, they are often used against people and organizations where these tools are not necessarily appropriate.”
