Google accuses Spanish spyware company of ties to zero-day exploitation framework
A Spanish commercial spyware company is likely tied to an exploitation framework known to take advantage of vulnerabilities in Chrome, Firefox and Microsoft Defender, according to new research.
Google’s Threat Analysis Group said the Heliconia framework – which “provides all the tools necessary to deploy a payload to a target device” – is likely linked to Variston IT, a company based in Barcelona.
“Although the vulnerabilities are now patched, TAG believes the exploits were used as 0-days before they were fixed,” the researchers said in a blog post.
Variston did not respond to requests for comment. On its website, the company says it provides custom security solutions.
TAG said it first became aware of the Heliconia exploitation framework when an anonymous researcher submitted three bugs to their Chrome bug reporting program.
According to Google, the submission contained instructions and source code that had unique names like “Heliconia Noise,” “Heliconia Files,” and “Heliconia Soft.” The files had frameworks for deploying exploits in the wild and a script in the source code that included clues pointing to the possible developer of the exploitation frameworks: Variston IT.
TAG worked with Project Zero researchers Ivan Fratric and Maddie Stone as well as V8 Security Team’s Stephen Röttger.
“While we have not detected active exploitation… It appears likely these were utilized as zero-days in the wild. TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files,” the researchers said.
Google highlighted its past work tracking commercial spyware vendors like Variston for years, noting in Wednesday’s blog that their most recent research “underscores that the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe.”
The researchers said commercial spyware vendors have developed capabilities that were previously only available to governments “with deep pockets and technical expertise.”
Even though much of this technology has been legalized under national or international laws, several recent revelations around companies like the NSO Group have proven that they are typically used in “harmful ways to conduct digital espionage against a range of groups.”
The framework
Google, Microsoft and Mozilla fixed all of the vulnerabilities that were part of the Heliconia exploitation framework in 2021 and earlier this year.
“Heliconia Noise” was a framework for exploiting a bug that was fixed in August 2021, while “Heliconia Soft” is a web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298, a bug in the JavaScript engine of Microsoft Defender Malware Protection that was fixed in November 2021.
The third framework was “Heliconia Files,” which contained a fully documented Firefox exploit chain for Windows and Linux. It exploits CVE-2022-26485, a use-after-free vulnerability that was reported in March 2022 as being exploited in the wild.
Google researchers said the package was likely exploiting the vulnerability since at least 2019, long before it was known publicly and patched.
“The Heliconia exploit is effective against Firefox versions 64 to 68, suggesting it may have been in use as early as December 2018 when version 64 was first released,” TAG researchers said.
“Additionally, when Mozilla patched the vulnerability, the exploit code in their bug report shared striking similarities with the Heliconia exploit, including the same variable names and markers. These overlaps suggest the exploit author is the same for both the Heliconia exploit and the sample exploit code Mozilla shared when they patched the bug.”
Google reiterated that it is committed to working against commercial spyware firms by “disrupting these threats, protecting users, and raising awareness of the risks posed by the growing commercial spyware industry.”
Google previously released a report on spyware from an Italian firm used against targets in Kazakhstan, Syria and Italy.
The report was published on the same day that 15 journalists and other members of El Faro, one of the leading sources of independent news in Central America, filed a lawsuit against spyware firm NSO Group.
The company has been at the center of controversy over the last two years after it was implicated in the hacks of devices owned by several world leaders.
NSO Group was blacklisted by the U.S. government last year after it was revealed that its Pegasus tool was used to hack into the phones of several U.S. State Department officials in Uganda.
Citizen Lab has worked with multiple news outlets throughout the year to reveal the scale of NSO Group's work. In July, the "Pegasus Project" used information from Amnesty International, Citizen Lab, and Forbidden Stories to uncover that the NSO Group's spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians.
Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted.
“The use of spyware to surveil and intimidate journalists poses a truly urgent threat to press freedom,” said Carrie DeCell, senior staff attorney with the Knight First Amendment Institute, which is representing the journalists.
“American courts must ensure that spyware manufacturers are held accountable for their actions where those actions violate U.S. law.”
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.