Description
Googles Threat Analysis group (TAG) has recently linked a commercial surveillance company to an exploit framework that targets zero-day exploits in Chrome and Firefox web browsers and Microsoft Windows Defender.
Summary
The exploitation framework is likely linked to an entity called Variston IT. The company claims to be a provider of custom security solutions however their Heliconia framework was seen exploiting n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a targeted device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022 and while Google has not detected active exploitation, research shows that these were likely utilized as zero-days in the past. TAG became aware of this threat after receiving an anonymous submission containing the three different frameworks namely Heliconia Noise, Heliconia Soft and Heliconia Files.
The Heliconia Noise is a web framework for deploying a Chrome renderer exploit which is followed by a sandbox escape and agent installation. The Chrome renderer exploit works on Chrome versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021) and it takes advantage of a V8 deoptimizer bug that was fixed in August 2021. This framework can be configured using an associated JSON file that allows various parameters to be set including the number of times to execute the exploit, the redirect URL in the case of a failed exploit and custom rules to specify certain targets.
The Heliconia Soft is a web framework that deploys a malicious PDF file that contains a Windows Defender exploit when a user visits a specific attack URL. This file exploits CVE-2021-42298, which is a vulnerability in the JavaScript engine of the Windows Defender application that grants SYSTEM privileges. However, this vulnerability was fixed as of November 2021.
The Heliconia Files is a package containing a fully documented Firefox exploit chain for Windows and Linux devices. The package exploits CVE-2022-26485 which is a use-after-free vulnerability in the XSLT processor of Firefox that grants remote code execution. TAG assessed that this Heliconia package has likely exploited this vulnerability since at least 2019, which is way before it was publicly known and patched in March 2022. The Heliconia package is effective against Firefox versions 64 to 68, which suggests that it may have been in use since December 2018 when Firefox 64 was first released. The package also allows a sandbox escape by exploiting a vulnerability that allows user-controlled CSS values to be rendered inside the privileged content process. Additionally, code execution is achieved by injecting XBL bindings to resolve Windows APIs and call WinExec. This vulnerability was fixed as of September 2019 without a CVE.
Remediation
Since the Heliconia frameworks exploit older vulnerabilities that were already patched, users are advised to update their Firefox and Chrome browsers to the latest versions as well as Windows Defender to circumvent and avoid any issues. Follow the links below for help on updating the respective software:
Google Chrome: https://support.google.com/chrome/answer/95414?hl=en&co=GENIE.Platform%3DDesktop
Mozilla Firefox: https://support.mozilla.org/en-US/kb/update-firefox-latest-release
Microsoft Windows Defender: https://www.microsoft.com/en-us/wdsi/defenderupdates
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Spyware vendor distributing frameworks that exploit Chrome Firefox and Windows vulnerabilities.pdf
References
Gatlan, S. (2022, November 30). Google discovers Windows exploit framework used to deploy spyware. Retrieved from the BleepingComputer. https://www.bleepingcomputer.com/news/security/google-discovers-windows-exploit-framework-used-to-deploy-spyware/
Lecigne, C. and Sevens, B. (2022, November 30). New details on commercial spyware vendor Variston. Retrieved from Google Blog. https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston/