Google’s Threat Analysis Group has published details about a trio of newly discovered exploit frameworks that likely were used to exploit Chrome, Firefox, and Microsoft Defender vulnerabilities as zero days in the last few years.
The TAG team became aware of the frameworks when someone submitted three separate bugs to Google’s Chrome bug reporting system. Each of the three bugs included a complete framework for exploiting specific bugs, as well as source code. The frameworks are known as Heliconia Noise, Heliconia Soft, and Files. Heliconia Noise is a framework that includes a full one-click chain for exploiting a renderer bug in Chrome that was present in the browser from version 90.0.4430.72 to 91.0.4472.106 and was fixed in August 2021. Heliconia Soft exploits a flaw in Windows Defender, and Files is a group of exploits for Firefox on both Windows and Linux.
While looking into the vulnerabilities and frameworks, Google’s researchers discovered a script that was used to remove any sensitive information, such as server names and developer aliases, and it also contains a reference to Variston, which is a security firm in Spain. The TAG researchers believe Variston may have developed the exploit frameworks.
“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022. While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild,” the TAG researchers said in a post detailing the bugs and frameworks.
Google’s research shows that the frameworks are complex and mature and capable of delivering exploits to target machines with ease. The Heliconia Noise framework that targets Chrome has several components and also a reference to a separate sandbox escape exploit. The first stage of the chain is the use of a remote code execution exploit, followed by the sandbox escape, and finally the installation of an agent on the compromised machine.
“The framework runs a Flask web server to host the exploit chain. A full infection performs requests to six different web endpoints during the different stages of the exploit chain. The file names for each endpoint are randomized during server deployment, except for the first endpoint, which is served by a URL specified in the configuration file,” the Google researchers said.
“The framework allows setting parameters to validate visitors of the web server. Customers can configure target validations based on user agent, client country, client IP, and a client identifier used to track individual visitors. If any of the validation checks fail, the user is redirected to the preconfigured redirect URL.”
Heliconia Soft, which targets the Windows Defender security tool, contains an exploit for CVE-2021-42298, a flaw that Microsoft patched in 2021. The framework uses an exploit that gives the attacker system-level privileges and only involves the download of a PDF. When the victim downloads the PDF, it triggers a scan by Windows Defender.
“In the first stage, a PDF is served when a user visits the attack URL. The PDF contains some decoy content, plus JavaScript that contains the exploit. Like Heliconia Noise, it uses the custom JavaScript obfuscator minobf. The framework code performs checks to confirm that common exploit strings (“spray”, “leak”, “addr”, etc.) are not present in the obfuscated JavaScript. The framework inserts the PE loader shellcode and the launcher DLL as strings in the exploit JavaScript,” the Google analysis says.
“The growth of the spyware industry puts users at risk and makes the Internet less safe."
The final framework TAG discovered is called simple Files, and it contains an exploit for a Firefox bug that Mozilla patched earlier this year. That vulnerability (CVE-2022-26485) was exploited in the wild before it was disclosed in March, and Google’s researchers believe actors may have been using the exploit contained in the Heliconia Files framework for several years.
“TAG assesses that the Heliconia Files package likely exploited this RCE vulnerability since at least 2019, well before the bug was publicly known and patched. The Heliconia exploit is effective against Firefox versions 64 to 68, suggesting it may have been in use as early as December 2018 when version 64 was first released,” TAG said.
“Additionally, when Mozilla patched the vulnerability, the exploit code in their bug report shared striking similarities with the Heliconia exploit, including the same variable names and markers. These overlaps suggest the exploit author is the same for both the Heliconia exploit and the sample exploit code Mozilla shared when they patched the bug.”
There is also a sandbox escape exploit for the Windows version of Firefox. Google’s TAG researchers pointed to Heliconia as an example of the proliferation of commercial surveillance tools and how dangerous they can be for many groups of potential targets.
“The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,” the researchers said.