Exploiting Windows, Chrome, and Firefox Zero-Days to Proliferate Malware

Exploiting Windows, Chrome, and Firefox Zero-Days to Proliferate Malware

Cybersecurity researchers from Google's Threat Analysis Group (TAG) say a Spanish commercial firm developed an exploit network (opens in a new tab) for Windows, Chrome, and Firefox, and likely sold it to government entities in last.

In a blog post published earlier this week, the TAG team claims that a Barcelona-based company called Variston IT is likely linked to the Heliconia framework, which exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender ( opens in a new tab ). It also indicates that the company likely provided all the necessary tools to deploy a payload to a target endpoint (opens in a new tab).

No active exploitation

All affected companies had fixed vulnerabilities that had been exploited through the Heliconia framework in 2021 and early 2022, and since TAG found no active vulnerabilities, the framework was most likely used on zero days. However, to fully protect against Heliconia, TAG suggests that all users keep their software up to date.

Google was first alerted to the existence of Heliconia through an anonymous submission to Chrome's bug reporting program (opens in a new tab). Whoever submitted the submission added three bugs, each with instructions and a source code file. They were named "Heliconia Noise", "Heliconia Soft" and "Files". A subsequent analysis showed that they contained "frameworks to implement exploits in the wild" and that the source code pointed to Variston IT.

Heliconia Noise is described as a framework to implement an exploit for a Chrome rendering bug, followed by a sandbox escape. Heliconia Soft, on the other hand, is a web framework that implements a PDF containing an exploit for Windows Defender, while Files is a collection of Firefox exploits (opens in a new tab) found on both Windows and Linux. .

Since the Heliconia exploit works on Firefox versions 64-68, it is likely that it was in use in late 2018, Google suggests.

Speaking with TechCrunch, Variston CIO Ralf Wegner said the company was unaware of Google searches and could not validate the results, but added that he would be "surprised if such an element were to be found in the wild."

Commercial spyware (opens in a new tab) is a growth industry, Google says, adding that it will not stand idly by while these entities sell vulnerabilities to governments who then use them to attack opponents, politicians, journalists, human rights activists and dissidents.

Perhaps the most famous example is Israel-based NSO Group and its Pegasus spyware, which blacklisted the company in the United States.

Via: TechCrunch (Opens in a new tab)