Google accuses Variston IT of exploiting Firefox, Chrome

Variston IT, a Barcelona-based surveillance software vendor, has been alleged to use spyware on targeted devices by exploiting a series of flaws in Google Chrome, Mozilla Firefox and Windows, dating back to December 2018.

Their Heliconia strategy exploits Chrome, Firefox and Microsoft Defender vulnerabilities and provides all the tools needed to deploy a payload to a target device. Variston, which has a website, claims to provide custom security solutions to customers, design custom patches for all systems, and support digital information discovery.

Vulnerabilities Patched by Google, Microsoft, and Mozilla in 2021 and early 2022, Zero Days is expected to help customers install malware of their choice on target systems.

Heliconia Components

Heliconia includes three components which are Noise, Soft, and Files which each are responsible for combating bugs in Chrome, Windows, and Firefox.

Noise

Noise is designed to checkmate any security flaw in the Chrome V8 JavaScript engine patched in August 2021, as well as an unknown sandbox escape method called "chrome-sbx-gen" to enable the final payload, which must be installed on the target devices.

However, for the cyberattack to be completed, it requires the victim to access the web page to trigger the first phase of the cyberattack.

Heliconia Noise uses a JSON file to set parameters such as the maximum number of utilisation, server expiration date, redirecting URLs for non-target visitors, and rules for when a visitor should be considered a valid target.

Soft

Soft is a web framework designed to deliver a PDF document that uses a fragile code execution vulnerability CVE-2021- 2298 affecting Microsoft Defender, patched by Redmond in November 2021. In this phase, the user visits a malicious URL which then serves as a weaponised PDF file package

Files

Files, the third framework, contains an exploit chain for Firefox for Windows and Linux that utilises a freeware bug (CVE-2022-2685) reported in the browser in March 2022. However, it is suspected that the bug may have existed since 2019.

Google Threat Analysis Group (TAG) reported that it became aware of the Heliconia attack framework after receiving an anonymous submission to the Chrome Bug Reporter. It was further noted that there is currently no evidence that the kit has been discontinued or further developed.

The development comes more than five months after the tech giant's cyber security department linked a previously unspecified Android mobile spyware program, Hermit, to Italian software developer RCS Lab.

Surveillance technology may be legal under national or international law. However, they are often used negatively to conduct digital espionage against multiple groups.