Google researchers said Wednesday they have linked a Barcelona, Spain-based IT company to selling advanced software frameworks that exploit vulnerabilities in Chrome, Firefox and Windows Defender.
Variston IT bills itself as a provider of custom information security solutions, including embedded supervisory control and data acquisition (SCADA) technology and Internet of Things integrators, custom security patches for proprietary systems, data discovery tools, security training, and the development of secure protocols for embedded devices. According to a report from Google’s Threat Analysis Group, Variston sells another product not mentioned on his website: software frameworks that provide everything a customer needs to stealthily install malware on devices they want to spy on.
Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit n-day vulnerabilities, which have been patched recently enough that some targets have not yet installed them. There is evidence that the frameworks were also used when the vulnerabilities were zero-days. The researchers are releasing their findings in an effort to disrupt the spyware market, which they said is booming and threatening several groups.
“TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, putting Internet users around the world at risk,” they wrote. “Commercial spyware gives governments advanced surveillance capabilities that they use to spy on journalists, human rights activists, political opposition and dissidents.”
The researchers then cataloged the frameworks, which they received from an anonymous source through Google’s Chrome bug reporting tool. Each came with instructions and an archive containing the source code. The frameworks came with the names Heliconia Noise, Heliconia Soft and Files. The frameworks contain “mature source code that can implement exploits for Chrome, Windows Defender and Firefox respectively”.
Code was included in the Heliconia Noise framework to clean binaries before they are produced by the framework to ensure that they do not contain strings that could incriminate the developers. As the image of the cleanup script shows, the list of bad strings contained “Variston”.
Variston officials did not respond to an email requesting comment for this entry.
The frameworks exploited vulnerabilities that Google, Microsoft and Firefox patched in 2021 and 2022. Heliconia Noise contained both a Chrome renderer exploit and an escape exploit from the Chrome security sandbox, which is designed to keep untrusted code in a protected environment. environment that does not have access to sensitive parts of an operating system. Because the vulnerabilities were discovered internally, there are no CVE designations.
Heliconia Noise can be configured by the customer to set things like the maximum number of times the exploits are displayed, an expiration date, and rules specifying when a visitor should be considered a valid target.
Heliconia Soft contained a booby-trapped PDF file that exploited CVE-2021-42298, a bug in the Microsoft Defender Malware Protection JavaScript engine that was fixed in November 2021. Simply sending the document to someone was enough to gain coveted system privileges on Windows, because Windows Defender automatically scans incoming files.
The Files framework included a fully documented exploit chain for Firefox on Windows and Linux. It exploits CVE-2022-26485, a use-after-free vulnerability that Firefox patched last March. The researchers said that Files had likely been exploiting the code execution vulnerability since 2019, long before it was publicly known or patched. It worked against Firefox versions 64 to 68. The sandbox escape Files that was relied upon has been fixed in 2019.
The researchers painted a picture of an exploitation market that is getting more and more out of hand. They wrote:
TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities previously available only to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet more insecure. While surveillance technologies are legal under national or international laws, they are often used in malicious ways to conduct digital espionage against a range of groups. This abuse poses a serious risk to online security. Therefore, Google and TAG will continue to take action and research the commercial spyware industry.
Variston joins other exploit vendors including NSO Group, Hacking Team, Accuvant and Candiru.
