FortiGuard Labs is aware of a report that a new exploit framework dubbed “Heliconia” was discovered. Heliconia consists of three components that are designed to exploit vulnerabilities in Chrome, Firefox and Windows Defender to deliver payloads. According to outside reports, the exploit framework may have connection with a commercial spyware vendor.Why is this Significant?This is significant because the new exploit framework “Heliconia” is designed to exploit security holes in Chrome, Firefox and Windows Defender and deliver payloads. Google’s Threat Analysis Group (TAG) believes “Heliconia” may have connection with a commercial security solution vendor and the vulnerabilities may have been exploited as a 0-day.What Components are in the Three Components of Heliconia?Heliconia consists of the following three components:Heliconia Noise is designed to exploit a renderer vulnerability in Chrome. It also references a remotely hosted sandbox escape shellcode and installs an agent. While a CVE number has not been assigned to the renderer vulnerability, Google states that the vulnerability affects Chrome version 90.0.4430.72 to 91.0.4472.106 and was patched in August 2021.Heliconia Soft is designed to serve a PDF file containing an exploit for a Windows Defender vulnerability (CVE-2021-42298).Heliconia Files is designed to exploit vulnerabilities in both Windows and Linux versions of Firefox in chain. It first exploits CVE-2022-26485, followed by an unnamed sandbox escape and payload delivery.Have the Vendors Released a Patch for the Vulnerabilities?Patches are available for the reported vulnerabilities.How Widespread is this?While we do not know how widespread this is, CVE-2022-26485 was reportedly exploited by the Heliconia exploit framework as early as 2019. What is the Status of Protection?FortiGuard Labs provides the following IPS signature for CVE-2021-42298:MS.Defender.MpEngine.Remote.Code.ExecutionFortiGuard Labs is currently investigating CVE-2022-26485 for coverage. This Threat Signal will be updated when protection becomes available.
Heliconia Exploit Framework In the Wild
Read Time:1 Minute, 36 Second