Malware is spread using Windows, Chrome, and Firefox zero-day vulnerabilities

Google’s Threat Analysis Group (TAG) discovered an exploitation network for Windows, Chrome, and Firefox, and they believe it was created by a private business in Spain and sold to government agencies at some point.

The TAG team has linked a Barcelona firm named Variston IT to the Heliconia framework, which targets n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, according to a blog post published earlier this week. It also implies that the firm supplied everything required to deliver a payload to a destination.

We are not currently aware of any active exploitations

Given that TAG did not discover any active exploitations and all impacted firms had patched the vulnerabilities exploited using the Heliconia framework in 2021 and early 2022, it is likely that the framework was only utilised on zero-days. However, TAG advises all users to maintain their software up to date to provide maximum security against Heliconia.

Anonymous reporting in Chrome’s bug-reporting programme is what first alerted Google to Heliconia. The submitter has added three new bugs, each with detailed instructions and a downloadable zip containing the code. The three of them were dubbed “Files,” “Heliconia Noise,” and “Heliconia Soft.” After further investigation, it was discovered that the files contained “frameworks for deploying exploits in the wild,” and that the code’s origin was traced back to Variston IT.

Using the Heliconia Noise framework, an attack for a Chrome renderer flaw may be deployed, and then the sandbox can be escaped. But Files is a collection of Firefox vulnerabilities that can be used on Windows and Linux, while Heliconia Soft is a web framework that uses a PDF containing an exploit for Windows Defender.

Since the Heliconia exploit is compatible with Firefox 66 through 68, Google assumes it was used sometime in late 2018.

Ralf Wegner, the director of IT at Variston, said the business had not heard of Google’s study and hence could not verify its findings, but that he would be “surprised if such thing was found in the wild.”

Commercial spyware is on the rise, according to Google, and the company will not stand idly by while its customers are targeted by governments that purchase vulnerability exploits from private companies.

The NSO Group, an Israeli firm, gained notoriety for developing the Pegasus spyware that ultimately led to its inclusion on a U.S. government blacklist.