1 December 2022

New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender


New Heliconia framework exploits n-day flaws in Chrome, Firefox and Microsoft Defender

Google’s Threat Analysis Group (TAG) has published details on a new exploit framework, which it believes has been developed by the Barcelona-based company Variston IT that claims to be a provider of custom security solutions.

Called “Heliconia,” the framework exploits n-day vulnerabilities in the Chrome and Firefox browsers, as well as the Microsoft Defender tool, fixed by Google, Microsoft and Mozilla in 2021 and 2022. The TAG team says that these bugs were likely utilized as zero-day vulnerabilities before they were fixed, although the researchers admitted that they didn’t find evidence to support this claim.

TAG became aware of the Heliconia framework after Google received an anonymous bug report describing three vulnerabilities, each with instructions and an archive that contained source code.

After analyzing the report the researchers identified three frameworks for deploying exploits listed below:

  • Heliconia Noise - a web framework for deploying Chrome exploits;

  • Heliconia Soft - a web framework that deploys a Windows Defender exploit via a PDF file

  • Heliconia Files - contains Firefox exploits for Windows and Linux

Heliconia Noise is described as a “1-click full chain for Google Chrome without persistence reaching medium integrity,” while Heliconia Soft exploits CVE-2021-42298, a vulnerability in the JavaScript engine of Microsoft Defender Malware Protection that was fixed in November 2021. The exploit achieves SYSTEM privileges with a single vulnerability and the only action required by the user is to download a PDF, which triggers a scan by Windows Defender, Google said.

Lastly, Heliconia Files contains a fully documented Firefox exploit chain for Windows and Linux and takes advantage of CVE-2022-26485, an RCE vulnerability in the XSLT processor disclosed in March 2022 as a zero-day flaw. According to the researchers, the Heliconia Files framework likely exploited the aforementioned vulnerability since at least 2019. The exploit is effective against Firefox versions 64 to 68, indicating it may have been in use as early as December 2018 when version 64 was first released.

“The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety,” the TAG team warned.

Back to the list

Latest Posts

ICC investigates cyberattacks in Ukraine as possible war crimes

ICC investigates cyberattacks in Ukraine as possible war crimes

The probe is focused on cyberattacks that endangered lives by disrupting essential services.
17 June 2024
Alleged Scattered Spider leader arrested in Spain

Alleged Scattered Spider leader arrested in Spain

The suspect is believed to be a key player in the MGM ransomware attack.
17 June 2024
Scattered Spider hackers switch focus to cloud apps for data theft

Scattered Spider hackers switch focus to cloud apps for data theft

Mandiant has observed UNC3944 accessing platforms like vSphere and Azure via SSO applications to create new virtual machines.
17 June 2024