Google Discovers an Exploit Framework Used to Spread Spyware

MakeUseOf

By Katie Rees

Published Nov 30, 2022

Google has discovered an exploit framework using now-patched Windows, Firefox, and Chrome vulnerabilities to deploy spyware.

Google’s Threat Analysis Group has announced its discovery of an exploit framework that used now-patched vulnerabilities to spread spyware. Spanish IT firm Variston has been linked to the exploit.

A Spanish IT Firm May Have Exploited a Windows Vulnerability

On November 30, 2022, Google's Threat Analysis Group (TAG) announced in a Google blog post that an exploitation framework named "Heliconia" may have ties to Spanish IT Firm Variston. The framework exploited now-patched Chrome, Firefox, and Microsoft Defender vulnerabilities in order to deploy dangerous spyware.

Variston, the alleged security solutions provider in question, is based in Barcelona and may have exploited n-day vulnerabilities to spread spyware. N-day vulnerabilities refer to exploited security flaws that have been patched. However, Google's TAG researchers believe that these vulnerabilities were used for zero-day exploits in the wild prior to the patches.

Heliconia Framework Can Deploy Commercial Spyware

The Google Threat Analysis Group was initially made aware of the Heliconia framework via a submission on its bug reporting service by an anonymous user. The user, who reported three bugs, coined the name "Heliconia". The three reports were named “Heliconia Noise,” “Heliconia Soft”, and “Files”, respectively.

Heliconia Noise is a framework that deploys a Windows exploit for a Chrome renderer bug, which is then followed by a Chrome sandbox escape and agent installation. The Chrome versions 90.0.4430.72 to 91.0.4472.106 (ranging from April to June 2021) were exposed to this exploit until August 2021.

The Heliconia Soft framework deploys a PDF containing a Windows Defender exploit. The Files consist of various exploits for both Linux and Windows systems.

Heliconia deals with the spread of commercial spyware on targeted devices. As stated in Google's TAG post on the matter, this kind of malicious program puts "advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents."

Google's TAG Is Committed to Tackling Commercial Spyware

Google's TAG concluded its blog post regarding the Heliconia framework that the "growth of the spyware industry puts users at risk and makes the Internet less safe". Commercial spyware can be abused even if "surveillance technology may be legal under national or international laws".

Because of this danger, Google and TAG have stated that they will "continue to take action against, and publish research about, the commercial spyware industry".

Spyware Poses a Risk to Millions of Internet Users

Spyware can be leveraged to monitor people's digital activity without their permission or knowledge. Private data is vulnerable to theft via spyware, which can be used to both benefit the attacker and exploit the target. While commercial spyware may be legal in certain nations, it can still be used unethically and may put citizens at risk. This is why teams like Google's TAG are looking to identify, monitor, and tackle such programs on a continuous basis.