Google Accuses Spanish Company Variston IT of Creating Spyware and Exploiting 0-Day

Google Threat Analysis Group (TAG) accuses the Spanish company Variston IT of developing spyware, as creating spyware and frameworks that exploit already fixed vulnerabilities in Chrome, Firefox and Microsoft Defender.

According to the official website, Variston IT positions itself as a provider of customized information security solutions, including for SCADA and IoT integrators, custom patches for proprietary systems, data discovery tools, and also offers security training and develops security protocols for embedded devices.

However, TAG experts write that Variston IT sells another product not mentioned on the site: frameworks that provide the client with everything necessary to install malware on devices of targets that need to be monitored.

According to the researchers, the company’s frameworks consist of several components, each of which targets specific vulnerabilities on target devices:

1. Heliconia Noise: a web framework for exploiting a rendering error in Chrome, then exiting the browser sandbox and installing malware on the target device;
2. Heliconia Soft: a web framework that deploys a PDF containing an exploit for a vulnerability in Microsoft Defender (CVE-2021-42298);
3. Heliconia Files: A set of exploits for Firefox for Linux and Windows, one of which is designed to attack the CVE-2022-26485 vulnerability.

Ultimately, Heliconia Noise and Heliconia Soft deploy the “agent_simple” agent on the target system. However, the sample framework studied by Google contained only a dummy agent that started and immediately exited without executing any malicious code. The researchers believe that the users of the framework apply their own agents, or all this is part of another project to which the specialists did not have access.

Google TAG says they found out about Heliconia after receiving anonymous reports through Chrome’s bug reporting program. Experts believe that the company exploited the mentioned problems even before the release of the patches, when the bugs were still zero-day vulnerabilities.