Google’s Threat Analysis Group (TAG) has linked an exploit framework that targets now patched vulnerabilities in Chrome and Firefox web browsers and the Microsoft Defender security app to a Spanish software company.
While TAG is Google’s team of security experts that focuses on protecting Google users from state-sponsored attacks, it also tracks dozens of companies that allow governments to spy on dissidents. , journalists and political opponents using surveillance tools.
The search giant claims that the Barcelona-based software company is one such commercial surveillance provider and not just a provider of custom security solutions as it officially claims.
“Continuing this work, we are today sharing the results of an operating framework with probable ties to Variston IT, a company in Barcelona, Spain, which claims to be a provider of custom security solutions,” Clement said. Lecigne and Benoit Sevens of Google TAG. said Wednesday.
“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and provides all the necessary tools to deploy a payload to a target device.”
The exploit framework consists of several components, each of which targets specific security vulnerabilities in software on target devices:
- Heliconia noise: a web framework to deploy a Chrome rendering bug exploit followed by a Chrome sandbox escape to install agents on the targeted device
- Heliconia Soft: a web framework that deploys a PDF containing the Windows Defender exploit tracked as CVE-2021-42298
- Heliconia Files: a set of Firefox exploits for Linux and Windows, including one tracked as CVE-2022-26485
For Heliconia Noise and Heliconia Soft, the exploits would end up deploying an agent named “agent_simple” on the compromised device.
However, the sample of this framework analyzed by Google contained a dummy agent that runs and closes without executing malicious code.
Google thinks the framework client provides its own agent or is part of another project it doesn’t have access to.
Although there is no evidence of active exploitation of the targeted security vulnerabilities and that Google, Mozilla and Microsoft patched them in 2021 and early 2022, Google TAG states that “it seems likely that they have been used as zero days in nature”.
A spokesperson for Variston IT was not immediately available for comment when contacted by BleepingComputer earlier today.
Google’s spyware vendor tracking efforts
In June, the company’s TAG team also revealed that Italian spyware vendor RCS Labs was helped by some Internet Service Providers (ISPs) to deploy commercial monitoring tools on devices of Android and iOS users in Italy and Kazakhstan.
During the attacks, the targets were asked to install malicious apps (disguised as legitimate mobile operator apps) in automatic downloads to get back online after their internet connection was cut with the help from their ISP.
A month earlier, Google TAG unveiled another surveillance campaign when state-backed threat actors exploited five zero-day bugs to install Predator spyware developed by commercial spyware developer Cytrox.
Google said at the time that it was actively tracking more than 30 vendors with varying levels of public exposure and sophistication selling surveillance capabilities or exploits to government-sponsored groups or threat actors.
“The growth of the spyware industry puts users at risk and makes the internet less secure, and while surveillance technology may be legal under national or international laws, it is often used in harmful ways to conduct the digital espionage against an array of groups,” Google TAG added today.
“These abuses pose a serious risk to online security, which is why Google and TAG will continue to take action and publish research on the commercial spyware industry.”