Security Experts:

Connect with us

Hi, what are you looking for?



Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston

Google’s Threat Analysis Group (TAG) has linked three exploitation frameworks, as well as several vulnerabilities that were likely used as zero-days at some point, to a Spanish commercial spyware vendor named Variston.

Google’s Threat Analysis Group (TAG) has linked three exploitation frameworks, as well as several vulnerabilities that were likely used as zero-days at some point, to a Spanish commercial spyware vendor named Variston.

On its website, Variston says it provides custom security solutions. The Barcelona-based company offers security products and custom patches for embedded systems, including industrial control systems (ICS) and IoT. It also offers data discovery services and training.

Google became aware of Variston’s products after receiving an anonymous submission in the Chrome bug bounty program. The reporter provided information on three vulnerabilities and the analysis of the reports led TAG researchers to Variston.

Google has identified three different exploitation frameworks designed for deploying exploits: Heliconia Noise, a web framework for deploying Chrome exploits; Heliconia Soft, a web framework that deploys a Windows Defender exploit via a PDF file; and Heliconia Files, which contains Firefox exploits for Windows and Linux.

Heliconia Noise is described in a manifest file as a “1-click full chain for Google Chrome without persistence reaching medium integrity”. Google says it can be used to deliver a Chrome renderer exploit, followed by a sandbox escape and agent installation in the post-exploitation stage. The victim needs to access a malicious webpage to trigger the first-stage exploit.

A vulnerability allowing the renderer exploit was patched in August 2021, but it was not assigned a CVE identifier as it was internally found by Google.

Heliconia Soft is designed to exploit CVE-2021-42298, a Microsoft Defender remote code execution vulnerability patched in November 2021. The framework is described as a “Windows Chrome & Chromium Edge 1-click chain without persistency reaching SYSTEM integrity”.

When the victim downloads a specially crafted PDF file, Windows Defender scans it, thus triggering the exploit.

As for Heliconia Files, it delivers a Firefox exploit chain for Windows and Linux. It leverages CVE-2022-26485 for remote code execution, which Mozilla patched with an emergency Firefox update in March 2022 after learning about its existence from Chinese cybersecurity firm Qihoo 360. A sandbox escape vulnerability affecting Firefox for Windows was addressed without a CVE in September 2019.

While the exploits delivered by the Heliconia frameworks are now patched, they were all likely used as zero-days before Google, Mozilla and Microsoft learned of their existence and released fixes. The Firefox remote code execution flaw, for instance, is believed to have been exploited by the Variston product since at least 2019.

“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,” Google said.

This is not the first commercial spyware vendor whose activities and tools have been analyzed by Google. The company has also published reports on Israel-based NSO Group and Italy-based RCS Lab.

Google was also informed recently by Avast about a Chrome zero-day vulnerability exploited by Israel-based spyware vendor Candiru.

Related: Google Reveals Spyware Vendor’s Use of Samsung Phone Zero-Day Exploits

Related: Chrome Flaw Exploited by Israeli Spyware Firm Also Impacts Edge, Safari

Related: Calls Mount for US Gov Clampdown on Mercenary Spyware Merchants

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.