A Barcelona-based surveillance software vendor named Variston IT is said to have exploited several zero-day vulnerabilities in Google Chrome, Mozilla Firefox, and Windows to covertly plant spyware on targeted devices.
โTheir Heliconia framework provides all the tools needed to exploit n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and deploy payloads to target devices,โ said Google Threat Analysis Group. (TAG) researchers Clement Lecigne and Benoit Sevens said. Said in writing.
Balliston is minimal websiteclaims to “provide customers with bespoke information security solutions,” “design custom security patches for all kinds of proprietary systems,” and “help them discover digital information.” [law enforcement agencies],โ and other services.
Vulnerabilities patched by Google, Microsoft, and Mozilla in 2021 and early 2022 are believed to have been used as zero-days to help customers install arbitrary malware on targeted systems.
Heliconia consists of three components, Noise, Soft, and Files, each responsible for deploying exploits for bugs in Chrome, Windows, and Firefox.
the noise is security flaw Targets the final payload (aka “agent”) using the Chrome V8 engine’s JavaScript engine patched in August 2021 and an unknown sandbox escape method called “chrome-sbx-gen” Allow it to be installed on your device.
However, this attack is based on the premise that the victim visits a booby-trapped web page to trigger the first stage exploit.
Buyers can additionally configure Heliconia Noise using a JSON file to specify the maximum number of times to serve exploits, server expiration, redirect URLs for non-targeted visitors, and rules specifying when visitors should visit. You can set various parameters such as considered a valid target.
Soft is a web frame designed to deliver decoy PDF documents featuring an exploit for CVE-2021-42298, a remote code execution flaw affecting Microsoft Defender that was fixed by Redmond in November 2021. Work. A user visited a malicious URL that served a weaponized PDF file.
The Files package (third framework) contains a Firefox exploit chain for Windows and Linux that exploits the browser use-after-free flaw (CVE-2022-26485) reported in March 2022. increase. However, it is suspected that the bug has likely been exploited since at least 2019.
Google TAG said it became aware of the Heliconia attack framework after it was anonymously posted to the Chrome bug reporting program. It further states that there is no evidence of exploitation at this time, indicating that the toolset has either stopped or evolved further.
The development comes more than five months after the tech giant’s cybersecurity division linked previously unexplained Android mobile spyware, Hermit, to Italian software company RCS Lab.
โThe growth of the spyware industry puts users at risk and makes the Internet less secure. It is often used in harmful ways to conduct espionage,” said the researchers.
