Google Reports This Barcelona Company Sells Spyware For Chrome, Firefox, And Windows Defender
JAKARTA - Google Threat Analysis Group (TAG) found a Barcelona-based company selling spyware exploiting Chrome, Firefox, and Windows Defender vulnerabilities to carry out contract surveillance on targeted Personal Computers (PCs).
The vulnerability is zero-day when the company exploits it, but Google, Mozilla, and Microsoft patch it in 2021 and early 2022.
Zero-day is a broad term that describes the recently discovered security vulnerability and can be used by hackers to attack the system. A zero-day attack comes as hackers exploit a weakness before developers have a chance to tackle it.
Furthermore, the company is an IT Variston that calls itself a dedicated information security solution provider, including technology for embedded SCADA (data surveillance and acquisition control) and Internet of Things integrator, a special security patch for proprietary systems, tools for data discovery, security training and development of secure protocols for embedded devices.
But according to TAG's report, Variston IT sells other products that are not mentioned on its website, such as software frameworks that provide everything customers need to secretly install malware on devices they want to spy on.
TAG researcher Clement Lecigne and Benoit Sevens said the exploit framework was used to exploit the n-day vulnerability, which has been patched recently so several targets haven't installed it yet.
Evidence suggests the framework is also used when the vulnerability is zero-day. The researchers revealed their findings in an attempt to disrupt the spyware market, which they said was booming and pose a threat to various groups.
Launching TechSpot, Friday, December 2, the framework comes with the names Heliconia Noise, Heliconia Soft, and Files. It contains adult source codes capable of implementing exploits for Chrome, Windows Defender, and Firefox.
Heliconia Noise exploits Chrome renderer vulnerabilities in versions 90.0.4430.72 (April 2021) to 91.0472.106 (June 2021). It can execute long-distance codes and exit the Chrome sandbox to the user's operating system. Google fixed the exploit in August 2021.
As it says, IT Varistons can also attack Windows Defenders, namely antiviral defaults for Windows 10 and 11 through PDF files containing exploits. PDFs will be distributed when users visit infected URLs, trigger Windows Defender scanning and start a chain of infections. Microsoft patched the exploit in November 2021.
Finally, the Heliconia Files used the Windows and Linux Firefox exploit chain to execute long-range codes in the Mozilla browser. The Windows version contains the escape of the sandbox patched by Mozilla in 2019. Another piece of the malicious package was reported in March 2022, but may have been in use since December 2018.
The IT Variston is similar to the NSO Group which sells tools that allow the government to spy on devices belonging to journalists, dissidents, and diplomats. Until November last year, Apple sued NSO Group and its parent company for spreading spyware found on the iPhone of US diplomats.