Variston IT Spyware behind an attack on Google
A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018.
Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device."
Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.
Google's Response
Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."
The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems.
What is Heliconia vulnerability?
Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively.
Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.
But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit.
Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further.
Google blog said
Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.
Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
Files: a set of Firefox exploits for Linux and Windows.
