Google Chrome application icon on mobile phone screen showing spyware vendor linked to zero-day exploitation framework

“Commercial Spyware” Vendor Linked to Exploitation Framework Using Zero-Days in Chrome, Firefox and Windows

A spyware vendor in Spain has been linked to a zero-day exploitation framework that impacted Windows, as well as the Chrome and Firefox browsers, from 2018 to 2021.

Variston IT, based in Barcelona, publicly bills itself as a security firm. The exploitation framework is not advertised on its website, and it is unclear exactly who the firm was providing this spyware to.

Spanish spyware exploited Windows Defender’s automatic scans in a zero-click exploit

The exploitation framework was outlined by Google’s Threat Analysis Group in a recent blog post. Though Variston IT does not advertise or claim the spyware, the Google researchers presented markers found in its code including a script that is signed by the company.

The “Heliconia” framework targets a set of vulnerabilities that were fixed by Google, Microsoft and Mozilla from early 2021 into 2022. Based on the versions of Firefox that the vulnerability is present in, the researchers believe that the spyware may have been used from as early as late 2018. Google’s “Safe Warnings” vulnerability scanning system will now detect and warn about the exploitation framework when navigating to online files that contain it, as will recent updates of Windows Defender.

Detection of the exploitation framework came via an anonymous report to the Chrome bug bounty program. Updating Windows Defender is particularly important, as the “Heliconia Soft” component of the spyware makes use of a bug in older versions that allows for a zero-click exploit as Defender automatically scans an inbound malicious PDF file. The Chrome renderer bug requires opening a malicious file or URL with the browser, as does the Firefox exploit chain (which can work in both Linux and Windows, though the Windows version contains a unique sandbox escape element).

The analysis did not propose a specific vulnerability window, but the Firefox exploit is tailored to take advantage of a vulnerability present in versions 64 to 68 of the browser. Firefox 64 was released in December 2018, making it the earliest known point at which there is evidence for the exploitation framework being viable in the wild (Firefox 69 was released in September 2019). The Google researchers say that they did not find direct evidence of it being exploited, but that the length of time the spyware was available combined with it apparently coming from an exploit vendor indicates that someone probably made use of it at some point.

Variston IT denies connection with exploitation framework

Though the company’s name appears in the exploitation framework code, Variston IT director Ralf Wegner responded to media inquiries by saying that the company “would be surprised” if such an item was found in the wild. Commercial spyware outfits generally try to cover their tracks by claiming that they only sell to legitimate governments for law enforcement purposes, but the company’s seeming denial that the product even belongs to them raises even more questions than usual about when and where it was used.

The Google researchers note that the commercial spyware market is doing brisk business, and may be rapidly growing out of control. This is in spite of the public attention paid to Israel’s NSO Group in the past two years and the legal actions taken against it, which include sanctions. As was demonstrated by NSO’s Pegasus spyware, the more advanced of these firms often sell exploitation frameworks with major OS or messaging app zero-day exploits that are not known and patched before they have been exploited in the wild for months. The Google researchers have also issued a warning and write-up about Pegasus, which made use of a zero-day in iMessage to compromise iOS devices without requiring the user to open the malicious message or even click on anything at all. Apple has since patched out that vulnerability, but Pegasus remains available and is assumed to still be in use in numerous countries with repressive governments.

And as Google’s prior threat activity warnings indicate, NSO Group is not the only player lurking in the exploitation framework market. The researchers have issued a similar threat write-up for Italy’s RCS Lab, which provides spyware tools targeted at Android and iOS devices. This vendor’s tools require clicking on malware links in messages, but are a greater risk than usual as the group appears to work with local ISPs when possible to disable the target’s mobile connectivity and then send a malware-laced message with instructions to re-enable it.

Another player in the spyware market, Candiru, is also based out of Israel. This vendor has provided an exploitation framework based on a Chrome browser zero-day vulnerability, something that Google has said that it has patched. Prior to the patch journalists in Lebanon, Turkey, Yemen, and Palestine were targeted with the malware.

Chris Clements, VP of solutions architecture at Cerberus Sentinel, notes that many of these spyware vendors are simply initial access brokers that have attempted to add a veneer of legitimacy by working with governments: “Commercial spyware vendors operate in a space that in any other context is indistinguishable from cybercrime. The exploits they develop and surveillance functions of their products are indeed by definition malware. These organizations often shield themselves from legal consequences by claiming to only sell their tools for ethical use by governments and law enforcement; however these claims have been repeatedly found to be untrue for some spyware vendors. Really the only difference between these organizations and the Ransomware as a Service vendors and initial access brokers on the dark web are their target customers and the level of polish put into their product. Unfortunately, there is often little oversight in ensuring that these companies adhere to their stated ethical standards in who they sell to and whom their customers target with their products. Because these products are professionally developed for the commercial market, they are often as user friendly as they are devastatingly effective in compromising their targets by employing zero-day or near zero-day exploits that have little or no defense. Ultimately there is little that a person or organization targeted with such tools can do to protect themselves and the tools are used relatively sparingly compared to other mass market malware. As a result, they can go undetected by defenders and manufacturers for lengthy periods. General advice that’s helpful, however, is to always keep your devices and software as up to date as possible with security patches, and if a person is worried about being targeted, employ the use of emerging solutions like Apple’s recently introduced “lock down mode” to limit your exposure at the expense of some conveniences and functionality.”