IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Spanish spyware outfit uncovered, develops exploits for Windows, Chrome, and Firefox

Google was only able to discover the company after an anonymous submission was made to its Chrome bug reporting programme

Google has tied a previously unknown spyware operation to a private company in Spain after receiving an anonymous tip-off regarding the malicious activity.

Its Threat Analysis Group (TAG) said the evidence suggests that Barcelona-based Variston IT has developed an exploit framework which leveraged zero days in Windows Defender, Firefox, and Chrome.

Google said the operation tied to Variston IT had developed the Heliconia framework which itself was split into smaller frameworks that exploited different systems and applications, like Windows and Chrome. The product gives customers all the tools needed to deploy a payload to a target device.

The frameworks included mature source code that could deploy the exploits. The first was Heliconia Noise, a web framework used to deploy an exploit for a Chrome renderer bug, followed by a sandbox escape.

Heliconia Soft was a separate web framework that dropped a malicious PDF to exploit a vulnerability in Windows Defender. The third and final framework was called Files - it consisted of a set of exploits targeting Firefox versions on both Windows and Linux systems.

The three companies targeted in the exploit, Microsoft, Mozilla, and Google, fixed the vulnerabilities in 2021 and early 2022. Google said it hadn’t detected active exploitation of the now-patched vulnerabilities, but instead predicted that they were used as zero-days in earlier attacks.

The tech giant only became aware of the Heliconia framework when it received an anonymous submission to its Chrome bug reporting programme.

Related Resource

The long road ahead to ransomware preparedness

Getting to the bigger truth

Whitepaper cover with title and image of road with speeding light graphicsFree Download

“The submitter filed three bugs, each with instructions and an archive that contained source code,” said Google TAG researchers in a blog post. “They used unique names in the bug reports including, ‘Heliconia Noise,’ ‘Heliconia Soft’, and ‘Files'.

"TAG analysed the submissions and found they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.”

Heliconia Noise, for example, leaked the name of the company in a line of code that prevented the framework from generating binaries containing strings such as 'Variston'.

The same for loop in Heliconia Noise's code also leaked the aliases of the developers who worked on the project: majinbuu, janemba, and freezer - all references to characters in the Dragon Ball manga franchise.

Google said that commercial spyware is used by governments to spy on journalists, human rights activists, and political opposition through its advanced surveillance abilities. The tech giant is aiming to disrupt the threat of these types of companies to protect users and raise awareness of the industry, it said.

IT Pro has contacted Variston for comment. It appears to be registered at an address in Barcelona and was founded by Jayaraman Ramanan and Ralf Dieter Wegener in 2018, according to Datos Cif, a Spanish database containing information about companies. Deloitte is also named as its auditor.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022
Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

19 Jul 2022
Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins
operating systems

Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins

27 May 2022
Google Chrome branded the least effective browser for stopping phishing attacks
phishing

Google Chrome branded the least effective browser for stopping phishing attacks

26 May 2022

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Windows 10 users locked out of devices by unskippable Microsoft 365 advert
bugs

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

3 Feb 2023