Heliconia framework described.
N2K logoDec 1, 2022

Google describes a commercial spyware operation that exploited zero-days.

Heliconia framework described.

Google’s Threat Analysis Group (TAG) has published a report on a commercial spyware framework developed by a Barcelona-based company, Variston IT.

Spyware targets Chrome, Firefox, and Windows Defender.

The framework, called “Heliconia,” exploited vulnerabilities in Chrome, Firefox, and Microsoft Defender. While the vulnerabilities have since been patched, TAG says “it appears likely these were utilized as zero-days in the wild.”

The researchers write, “TAG became aware of the Heliconia framework when Google received an anonymous submission to the Chrome bug reporting program. The submitter filed three bugs, each with instructions and an archive that contained source code. They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’ and ‘Files.’ TAG analyzed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.”

Heliconia Noise, Heliconia Soft, and Files.

TAG found that Heliconia Noise is a “web framework for deploying a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation,” while Heliconia Soft is “a web framework that deploys a PDF containing a Windows Defender exploit.” Heliconia Files offers “a fully documented Firefox exploit chain for Windows and Linux.” Heliconia Noise is deployed when a user visits a malicious URL. Heliconia Soft achieves SYSTEM privileges after the user downloads the PDF file, which is then scanned by Windows Defender.