{"uuid": "df3957bd-af8a-43ba-b454-e5568c19255d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-42298", "type": "exploited", "source": "https://t.me/technical_private_cat/379", "content": "We would also like to mention a product called Heliconia\ud83e\uddff.\n\nHeliconia spyware that affects several browsers, including Google Chrome, Firefox, oddly enough, Microsoft Defender security software.\nThe team's researchers added that they learned about the framework from a bug report sent anonymously by a Chrome user that contained instructions and source code with the names Heliconia Noise , Heliconia Soft and Files .\n\nGoogle's threat analysis team adds that the spyware was specifically designed to exploit vulnerabilities in Chrome and Firefox browsers. Spyware has also been observed to affect Microsoft Defender, which comes preinstalled with Microsoft Windows. Researchers concluded that the spyware code distribution tools contained links to a potential framework creator after scrutinizing the problem reported by an anonymous user.\n\nHeliconia Noise is a web framework for deploying an exploit of the Chrome visualization tool, followed by exiting the Chrome sandbox and installing an agent. \nThe manifest file in the source code contains a description of the product:\nAn image of the manifest file in the source code\nExploit Chrome visualization tool . It uses the V8 deoptimizer bug, fixed in August 2021. As usual nowadays for internal Chrome bugs, no CVE has been assigned. The source code references a sandbox escape called chrome-sbx-gen. This component was maintained in a separate Git submodule and was missing from the resulting source code. To obfuscate the JavaScript code, the framework uses minobf, probably a special tool, which was also not included in the source code.\n\nHeliconia Soft is a web framework that deploys a PDF file containing a Windows Defender exploit.\nIt uses CVE-2021-42298 , a bug in the Microsoft Defender Malware Protection JavaScript engine that was fixed in November 2021. The exploit obtains SYSTEM privileges with a single vulnerability, and the only action required of the user is to download a PDF file that triggers a Windows Defender scan.\n\nFiles - contained a fully documented Firefox exploit chain for Windows and Linux. It uses CVE-2022-26485 , a post-free XSLT processor exploit vulnerability reported to be in the wild in March 2022, to execute code remotely. TAG believes that the Heliconia Files package has probably been using this RCE vulnerability since at least 2019, long before the bug became known and patched.\n\nThe Heliconia exploit is effective against Firefox versions 64 through 68, suggesting that it could have been used as early as December 2018, when version 64 was first released. Furthermore, when Mozilla patched the vulnerability, the exploit code in the bug report bore striking similarities to the Heliconia exploit, including the same variable names and tokens. These coincidences suggest that the author of the exploit is the same for both the Heliconia exploit and the sample exploit code that Mozilla shared when they fixed the bug.\n\n #spyware #snooping #malware #android #browsers #cve #exploit", "creation_timestamp": "2022-12-15T10:05:07.000000Z"}