Skip links

Google discovers Windows exploit framework used to deploy spyware



Google’s Threat Analysis Group (TAG) has linked an exploit framework that targets now-patched vulnerabilities in the Chrome and Firefox web browsers and the Microsoft Defender security app to a Spanish software company.

While TAG is Google’s team of security experts focused on protecting Google users from state-sponsored attacks, it also keeps track of dozens of companies that enable governments to spy on dissidents, journalists, and political opponents using surveillance tools.

The search giant says the Barcelona-based software firm is one of these commercial surveillance vendors and not just a provider of custom security solutions as it officially claims.

“Continuing this work, today, we’re sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions,” Google TAG’s Clement Lecigne and Benoit Sevens said on Wednesday.

“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.”

The exploitation framework consists of multiple components, each of them targeting specific security flaws in software on the targets’ devices:

Heliconia Noise: a web framework for deploying a Chrome renderer bug exploit followed by a Chrome sandbox escape to install agents on the targeted device
Heliconia Soft: a web framework that deploys a PDF containing the Windows Defender exploit tracked as CVE-2021-42298
Heliconia Files: a set of Firefox exploits for Linux and Windows, one tracked as CVE-2022-26485

For Heliconia Noise and Heliconia Soft, the exploits would ultimately deploy an agent named ‘agent_simple’ on the compromised device.

However, the sample of this framework analyzed by Google contained a dummy agent that runs and exits without executing any malicious code.

Google believes the framework’s customer provides their own agent or it is part of another project they do not have access to.

Even though there’s no evidence of active exploitation of the targeted security vulnerabilities, and Google, Mozilla, and Microsoft patched them in 2021 and early 2022, Google TAG says that “it appears likely these were utilized as zero-days in the wild.”

A Variston IT spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Google’s spyware vendor tracking efforts

In June, the company’s TAG team also revealed that Italian spyware vendor RCS Labs was helped by some Internet Service Providers (ISPs) to deploy commercial surveillance tools on the devices of Android and iOS users in Italy and Kazakhstan.

During the attacks, the targets were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) in drive-by-downloads to get back online after their Internet connection was cut off with the help of their ISP.

One month earlier, Google TAG exposed another surveillance campaign when state-backed threat actors exploited five zero-day bugs to install Predator spyware developed by commercial spyware developer Cytrox.

Google said at the time that it’s actively tracking over 30 vendors with varying levels of public exposure and sophistication selling surveillance capabilities or exploits to government-sponsored threat groups or actors.

“The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,” Google TAG added today.

“These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.”

Adblock test (Why?)