Google links three exploitation frameworks to Spanish commercial spyware vendor Variston

Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston.

While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework likely linked Variston IT, a Spanish firm.

Officially, Variston claims to provide custom security solutions and custom patches for embedded system.

The experts reported that the framework includes exploits for n-day vulnerabilities in Chrome, Firefox and Microsoft Defender, the company also provides a collection of tools to deploy a malicious payload to a target device.

The vulnerabilities in Google, Microsoft and Mozilla exploited by the company were fixed in 2021 and early 2022. TAG’s research suggests that the above issues were utilized as zero-days in the wild by the surveillance vendor.

TAG discovered the Heliconia framework after receiving an anonymous submission to the Chrome bug reporting program.

The submitter reported three different exploitation frameworks, instructions, and an archive that contained source code. Their names in the bug reports are “Heliconia Noise,” “Heliconia Soft” and “Files.” The researchers noticed a script in the source code that includes clues pointing to the possible developer of the exploitation frameworks, Variston IT.

“Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0-days before they were fixed.” reads the analysis published by Google.

• Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
• Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
• Files: a set of Firefox exploits for Linux and Windows.

The Heliconia Noise web framework is used to deploy a Chrome renderer exploit, followed by a Chrome sandbox escape and agent installation. The Chrome renderer exploit supports Chrome versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021) and trigger a V8 deoptimizer issue fixed in August 2021.

The Heliconia Soft web framework exploits the CVE-2021-42298 remote code execution vulnerability in Microsoft Defender that was fixed on November 2021. The exploit is triggered when the victim downloads a specially crafted PDF file, which is scanned by Windows Defender.

Heliconia Files framework delivers a Firefox exploit chain for Windows and Linux. It leverages CVE-2022-26485 remote code execution in Firefox, the bug was addressed by Mozilla in March 2022.

“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.” TAG concludes. “These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Variston)

[adrotate banner=”5″]

[adrotate banner=”13″]