Threat Analysis Group (TAG) has been tracking the activities of commercial spyware vendors for years, using our research to improve the safety and security of Google’s products and share intelligence with our industry peers. TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe. Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents. Google and TAG are committed to disrupting these threats, protecting users, and raising awareness of the risks posed by the growing commercial spyware industry.
Continuing this work, today, we’re sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions. Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022. While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild. TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files. To ensure full protection against Heliconia and other exploits, it’s essential to keep Chrome and other software fully up-to-date.
TAG became aware of the Heliconia framework when Google received an anonymous submission to the Chrome bug reporting program. The submitter filed three bugs, each with instructions and an archive that contained source code. They used unique names in the bug reports including, “Heliconia Noise,” “Heliconia Soft” and “Files.” TAG analyzed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.
The exploitation frameworks, listed below, included mature source code capable of deploying exploits for Chrome, Windows Defender and Firefox. Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0-days before they were fixed.
- Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
- Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
- Files: a set of Firefox exploits for Linux and Windows.
Below, we share our findings on the exploitation frameworks and how they work. This analysis was done in collaboration with our colleagues, Ivan Fratric and Maddie Stone from Project Zero, and Stephen Röttger from the V8 Security Team.
Apps Customize New Tab Menu for Windows Terminal in Windows 11
Apps Enable or Disable Allow Windows Terminal Run in Background in Windows 11
Apps Add or Remove Shield Icon on Title Bar of Windows Terminal in Windows 11
Personalization Rearrange Widgets on Lock Screen in Windows 11