Google discovers Windows exploit framework used to deploy spyware

A Spanish company that offers “tailor made Information Security Solutions” may have exploited vulnerabilities in Chrome, Firefox and the Microsoft Defender antivirus program to deploy spyware, researchers with Google’s Threat Analysis Group said Wednesday.

On its website, Variston says it provides custom security solutions. The Barcelona-based company offers security products and custom patches for embedded systems, including industrial control systems (ICS) and IoT. It also offers data discovery services and training.

Google became aware of Variston’s products after receiving an anonymous submission in the Chrome bug bounty program. The reporter provided information on three vulnerabilities and the analysis of the reports led TAG researchers to Variston.

Google has identified three different exploitation frameworks designed for deploying exploits: Heliconia Noise, a web framework for deploying Chrome exploits; Heliconia Soft, a web framework that deploys a Windows Defender exploit via a PDF file; and Heliconia Files, which contains Firefox exploits for Windows and Linux.

Heliconia Noise is described in a manifest file as a “1-click full chain for Google Chrome without persistence reaching medium integrity”. Google says it can be used to deliver a Chrome renderer exploit, followed by a sandbox escape and agent installation in the post-exploitation stage. The victim needs to access a malicious spyware webpage to trigger the first-stage exploit.

A vulnerability allowing the renderer exploit was patched in August 2021, but it was not assigned a CVE identifier as it was internally found by Google.

Heliconia Soft is designed to exploit CVE-2021-42298, a Microsoft Defender remote code execution vulnerability patched in November 2021. The framework is described as a “Windows Chrome & Chromium Edge 1-click chain without persistency reaching SYSTEM integrity”.

When the victim downloads a specially crafted PDF file, Windows Defender scans it, thus triggering the exploit.

While the exploits delivered by the Heliconia frameworks are now patched, they were all likely used as zero-days before Google, Mozilla and Microsoft learned of their existence and released fixes.