Google’s Threat Analysis Group has released details on a trio of newly discovered exploit frameworks that have likely been used to exploit vulnerabilities in Chrome, Firefox and Microsoft Defender like Zero Day over the past few years.
The TAG team became aware of the frameworks when someone submitted three separate bugs to Google’s Chrome bug reporting system. Each of the three bugs included a comprehensive framework for exploiting specific bugs, along with the source code. The frameworks are known as Heliconia Noise, Heliconia Soft and Files. Heliconia Noise is a framework that includes a complete one-click chain to exploit a rendering bug in Chrome that was present in browser version 90.0.4430.72 to 91.0.4472.106 and was patched in August 2021. Heliconia Soft exploits a flaw in Windows Defender, and Files is a group of exploits for Firefox on Windows and Linux.
While reviewing vulnerabilities and frameworks, Google researchers discovered a script used to remove any sensitive information, such as server names and developer aliases, and it also contains a reference to Variston, which is a security company in Spain. TAG researchers believe that Variston may have developed the operating frameworks.
“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and provides all the necessary tools to deploy a payload to a target device. Google, Microsoft, and Mozilla patched affected vulnerabilities in 2021 and early 2022 Although we did not detect active exploitation, based on the research below, it seems likely that they were used as zero days in the wild,” the TAG researchers said in a post. detailing bugs and frameworks.
Google research shows that the frameworks are complex and mature and able to easily deliver exploits to target machines. The Heliconia Noise framework that targets Chrome has multiple components and also a reference to a separate sandbox exhaust exploit. The first step in the chain is the use of a remote code execution exploit, followed by escaping the sandbox, and finally installing an agent on the compromised machine.
“The framework runs a Flask web server to host the exploit chain. A full infection makes requests to six different web endpoints during different stages of the exploit chain. The filenames for each endpoint are randomized during server deployment, except for the first endpoint, which is served by a URL specified in the configuration file,” the Google researchers said.
“The framework allows setting parameters to validate web server visitors. Customers can configure target validations based on user agent, customer country, customer IP address, and a customer ID used to track individual visitors. If any of the validation checks fail, the user is redirected to the preconfigured redirect URL. »
Heliconia Soft, which targets the Windows Defender security tool, contains an exploit for CVE-2021-42298, a flaw that Microsoft patched in 2021. The framework uses an exploit that gives the attacker system-level privileges and only involves downloading a PDF. When the victim downloads the PDF, it triggers a scan by Windows Defender.
“In the first stage, a PDF is served when a user visits the attack URL. The PDF contains decoy content, as well as JavaScript that contains the exploit. Like Heliconia Noise, it uses the custom JavaScript obfuscator minobf Framework code performs checks to confirm that common exploit strings (“spray”, “leak”, “addr”, etc.) are not present in obfuscated JavaScript Framework inserts loader shellcode PE and launcher DLL as strings in the JavaScript exploit,” Google’s analysis reads.
“The growth of the spyware industry puts users at risk and makes the Internet less secure.”
The final TAG framework discovered is called Simple Files and contains an exploit for a bug in Firefox that Mozilla patched earlier this year. This vulnerability (CVE-2022-26485) was exploited in the wild before being disclosed in March, and Google researchers believe that actors may have been using the exploit contained in the Heliconia Files framework for several years.
“TAG assesses that the Heliconia Files package has likely exploited this RCE vulnerability since at least 2019, long before the bug was publicly known and patched. The Heliconia exploit is effective against Firefox versions 64-68, suggesting it may have been used as early as December 2018 when version 64 was first released,” TAG said.
“Furthermore, when Mozilla patched the vulnerability, the exploit code in its bug report shared striking similarities with the Heliconia exploit, including the same variable names and markers. These overlaps suggest that the author of the The exploit is the same for the Heliconia exploit and the sample exploit code shared by Mozilla when they fixed the bug.
There is also a sandbox escape exploit for the Windows version of Firefox. Google’s TAG researchers cited Heliconia as an example of the proliferation of commercial surveillance tools and how dangerous they are to many potential target groups.
“The growth of the spyware industry puts users at risk and makes the internet less secure, and while surveillance technology may be legal under national or international laws, it is often used in harmful ways to conduct criminal ‘digital espionage against a range of groups,’ the researchers said.
#Google #exposes #Heliconia #exploit #framework #targeting #Chrome #Firefox #Windows