Google discovers a Windows exploit that points to distribution of spyware

Russell Kidson
Dec 1, 2022
Updated • Dec 1, 2022
Windows
|
12

Google’s in-house Threat Analysis Group has recently uncovered an exploit framework that takes advantage of vulnerabilities in web browsers and other system utilities. TAG has also linked the exploit framework to a Spanish software company based in Barcelona. The exploit framework is known to target vulnerabilities in Microsoft Defender, Google Chrome, and Mozilla Firefox.

TAG is primarily one of Google’s expert-led lines of defense against state-sponsored attacks. However, TAG also keeps tabs on companies that let governments spy on political and moral opponents, dissidents, and journalists using tools of the surveillance trade. Officially, the Barcelona-based company claims to be nothing more than a custom security solution provider. However, the truth seems to be much more sinister. According to Google, this Spanish software company is one such commercial vendor of surveillance.

‘Continuing this work, today, we're sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions.’

These are the sentiments of TAG’s Benoit Sevens and Clement Lecigne who recently addressed the team’s findings. TAG also stated that ‘Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.’

ADVERTISEMENT

As TAG found, the exploit framework has three main components:

  • Heliconia Noise: A Web framework that deploys renderer bug exploits. The framework then installs malevolent agents on the target system by deploying a Chrome sandbox escape.
  • Heliconia Soft: A second web framework that carries a PDF payload that contains the Windows Defender exploit currently tracked as CVE-2021-42298.
  • Heliconia Files: A set of exploits for Windows and Linux that target Firefox. One of these is currently being tracked as CVE-2022-26485.

Yesterday, TAG stated that The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws; they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety, which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.’

In other related news, Google is apparently developing tech to replace internet cookies.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. Frankel said on December 1, 2022 at 5:41 pm
    Reply

    >In other related news, Google is apparently developing tech to replace internet cookies.

    May they fail over and over again. The cookie system needs no alternative and I will keep scrubbing their trackers and isolate them for each site as I deem fit.

    FloC, Topics, etc pp. New name, same cyber bingo BS.

  2. John G. said on December 1, 2022 at 5:42 pm
    Reply

    The affected software should give thanks to this spanish company.
    Nothing new under the sun, everyday a new exploit and so forth.

    1. John G. said on December 1, 2022 at 5:44 pm
      Reply

      By the way, what a beautiful word the heliconia. What a beautiful plant with nice flowers, indeed.
      https://en.wikipedia.org/wiki/Heliconia

    2. Frankel said on December 1, 2022 at 5:46 pm
      Reply

      Thanking an exploit hoarding company peddling them to governments of dictatorships and so called democracies? I don’t think their boots’ soles taste that good for me to give them a lick.

      1. John G. said on December 1, 2022 at 7:27 pm
        Reply

        @Frankel, welcome to the modern Europe.

  3. Tony said on December 1, 2022 at 7:13 pm
    Reply

    “Google discovers a Windows exploit that points to distribution of spyware”

    Too late, many systems are already infected with chrome.exe spyware. Now we have an edge.exe variant as well.

    1. John G. said on December 1, 2022 at 7:28 pm
      Reply

      +1
      No, better +10.

  4. Andy Prough said on December 1, 2022 at 7:42 pm
    Reply

    There’s probably hundreds of these companies developing exploits of Chrome and Firefox security vulnerabilities. This Variston IT company must have had a falling out with the American spy community, for the NSA to allow Google to expose them like this. There’s no way a report like this gets released without the NSA checking to see if it exposes American spycraft sources and methods first.

  5. notanon said on December 1, 2022 at 9:50 pm
    Reply

    Mitigations???

    Are Windows, Chrome & Firefox patched???

    This article is incomplete.

    BTW, the “spanish” software company could be providing services to any other government/NGO in the world. Who knows how deep the rabbit hole goes?

  6. Russ James said on December 2, 2022 at 2:49 pm
    Reply

    The writers’ About is wordier than the article.

  7. Anonymous said on December 2, 2022 at 3:00 pm
    Reply

    “TAG also keeps tabs on companies that let governments spy on political and moral opponents, dissidents, and journalists using tools of the surveillance trade.”

    Isn’t Google one of the largest of such companies ?

  8. DontBeEvil said on December 2, 2022 at 4:07 pm
    Reply

    How long before Google unmasks its own garbage? There are many poor redesigns that are useless. Everywhere there are so many unsightly circular corners. Why is their Google Play website currently so diluted? Even sorting comments is no longer possible. It resembles a single awful mobile website with no functionality.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.