Variston IT is likely behind exploit of Chrome, Firefox and Microsoft Defender – Google TAG
TeamHood
2 min read
Google’s Threat Analysis Group (TAG) has identified that a Spanish IT company is behind development of framework that targets patched vulnerabilities in Chrome, Firefox and defender.
The google tag mentions that a Barcelona-based software firm is one of these commercial surveillance vendors and not just a provider of custom security solutions as it claimed officially.
“Continuing this work, today, we’re sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions,” Google TAG’s Clement Lecigne and Benoit Sevens said on Wednesday.
“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.”
The exploitation framework consists of multiple components, each of them targeting specific security flaws in software on the targets’ devices:
- Heliconia Noise: a web framework for deploying a Chrome renderer bug exploit followed by a Chrome sandbox escape to install agents on the targeted device
- Heliconia Soft: a web framework that deploys a PDF containing the Windows Defender exploit tracked as CVE-2021-42298
- Heliconia Files: a set of Firefox exploits for Linux and Windows, one tracked as CVE-2022-26485
For Heliconia Noise and Heliconia Soft, the exploits would ultimately deploy an agent named ‘agent_simple’ on the compromised device.
However, the sample of this framework analyzed by Google contained a dummy agent that runs and exits without executing any malicious code.
Google believes the framework’s customer provides their own agent or it is part of another project they do not have access to.
Even though there’s no evidence of active exploitation of the targeted security vulnerabilities, and Google, Mozilla, and Microsoft patched them in 2021 and early 2022, Google TAG says that “it appears likely these were utilized as zero-days in the wild.”
There is no official confirmation from Verizon IT on this news.
