"Google Links Three Exploitation Frameworks to Spanish Commercial Spyware Vendor Variston"
Google's Threat Analysis Group (TAG) discovered three exploitation frameworks likely linked to Variston IT, a Spanish firm, while tracking the activities of commercial spyware vendors. Variston officially claims to offer custom security solutions and custom patches for embedded systems. According to the experts, the framework includes exploits for n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. The company exploited vulnerabilities in Google, Microsoft, and Mozilla. The company also offers a set of tools for delivering a malicious payload to a target device. The company exploited vulnerabilities in Google, Microsoft, and Mozilla, which were fixed in 2021 and early 2022. According to TAG's findings, the issues were used as zero-days in the wild by the surveillance vendor. After receiving an anonymous submission to the Chrome bug reporting program, TAG discovered the Heliconia framework. The submitter reported exploitation frameworks, instructions, and an archive containing source code. The bug reports refer to them as "Heliconia Noise," "Heliconia Soft," and "Files." The researchers discovered a script in the source code that contains clues pointing to Variston IT, the possible developer of the exploitation frameworks. A Chrome renderer exploit is deployed using the Heliconia Noise web framework, followed by a Chrome sandbox escape an agent installation. The Heliconia Soft web framework takes advantage of a Microsoft Defender Remote Code Execution (RCE) vulnerability that was patched in November 2021. When a victim downloads a specially crafted PDF file, Windows Defender detects it and launches the exploit. For Windows and Linux, the Heliconia Files framework provides a Firefox exploit chain. This article continues to discuss the three exploitation frameworks Google linked to Variston IT.