Google researchers said Wednesday they have linked a Barcelona, Spain-based IT company to selling advanced software frameworks that exploit vulnerabilities in Chrome, Firefox and Windows Defender.
Variston IT describes itself as a provider of customized information security solutions, including embedded SCADA (Supervisory Control and Data Acquisition) technology and integrators for the Internet of Things, custom security patches for proprietary systems, data discovery tools, security training and more Secure protocol development for embedded devices. According to a report by Google’s Threat Analysis Group, Variston sells another product not mentioned on its website: software frameworks that provide everything a customer needs to stealthily install malware on devices they want to spy on.
Researchers Clement Lecigne and Benoit Sevens said the exploit frameworks were used to exploit N-Day vulnerabilities that were recently patched, so some targets don’t have them installed yet. Evidence suggests, they added, that the frameworks were used even when the vulnerabilities were zero-days. The researchers are publishing their findings in an attempt to disrupt the spyware market, which they say is booming and poses a threat to various groups.
“TAG’s research underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, posing risks for internet users around the world,” they wrote. “Commercial spyware gives governments advanced surveillance capabilities, which they use to spy on journalists, human rights activists, political opposition and dissidents.”
The researchers then cataloged the frameworks, which they received from an anonymous source via Google’s Chrome Error Reporting program. Each came with instructions and an archive containing the source code. The frameworks were named Heliconia Noise, Heliconia Soft and Files. The frameworks each contained “mature source code that can provide exploits for Chrome, Windows Defender and Firefox”.
The Heliconia Noise framework included code to sanitize binaries before they are produced by the framework to ensure they don’t contain strings that could burden developers. As the cleaning script image shows, the list of bad strings included “Variston”.
Variston officials did not respond to an email requesting comment on this post.
The frameworks exploited vulnerabilities that Google, Microsoft and Firefox fixed in 2021 and 2022. Heliconia Noise included both a Chrome renderer exploit and an exploit for exiting the Chrome security sandbox, which is designed to keep untrusted code in a protected environment that cannot access sensitive parts of an operating system. Since the vulnerabilities were discovered internally, there are no CVE designations.
Heliconia Noise can be configured by the customer to set things like the maximum number of times the exploits are served, an expiration date, and rules for when a visitor should be considered a valid target.
The Files framework contained a fully documented exploit chain for Firefox on Windows and Linux. It exploits CVE-2022-26485, a use-after-free vulnerability that Firefox fixed last March. The researchers said Files had likely been exploiting the code execution vulnerability since at least 2019, well before it was publicly known or patched. It worked against Firefox versions 64 to 68. The sandbox escape files that files relied on were fixed in 2019.
The researchers painted a picture of an exploit market spiraling out of control. They write:
TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities previously only available to governments with deep pockets and technical know-how. The growth of the spyware industry puts users at risk and makes the Internet less secure, and while surveillance technologies may be legal under national or international law, they are often used in malicious ways to conduct digital espionage against a range of groups. These abuses pose a serious risk to online security, which is why Google and TAG will continue to take action against and publish research about the commercial spyware industry.
Variston joins the ranks of other exploit vendors including NSO Group, Hacking Team, Accuvant and Candiru.