A that a software vendor of surveillance Barcelona-based Variston IT appears to have covertly installed spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox and Windows, some of which date back to December 2018.

“Their Heliconia framework exploits day-old vulnerabilities in Chrome, Firefox, and Microsoft Defender and provides all the tools needed to deliver a payload to a target deviceGoogle Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a Google reports.

How does this spyware “work”?

Variston, which has a website corporate (with questionable graphics), claims to “offer tailored information security solutions to our customers“, “design custom security patches for any type of proprietary system” and support “the discovery of digital information by [delle forze dell’ordine agenzie]“, among the various services it offers.

The vulnerabilities, which were patched by Google, Microsoft and Mozilla in 2021 and early 2022, are thought to have been used as a zero-day to help customers install their own malware on targeted systems.

Heliconia comprises a trio of components, namely Noise, Soft, and Files, each of which is responsible for deploying bug exploits in Chrome, Windows, and Firefox.

The spyware is designed to exploit a security hole in the JavaScript engine (similar to what we recently saw with the NPM libraries) of the Chrome V8 engine that was fixed in August 2021, as well as an unknown sandbox escape method called “chrome-sbx -gen” to enable the final payload (aka “agent”) to be installed on well-targeted devices.

However, the attack relies on the prerequisite that the victim accesses a booby-trapped web page to activate the first-stage exploit (from the series: the first step of a cyberthreat is almost always done by the user unknowingly…).

Heliconia can be further configured by the purchaser using a JSON file to set various parameters such as the maximum number of times to fire exploits, an expiration date for servers, redirect URLs for visitors complete with targets and rules that specify when a visitor should be considered a valid target or not (according to the spyware).

Soft is a web framework designed to provide a decoy PDF document with an exploit for CVE-2021-42298, a remote code execution flaw that impacted Microsoft Defender that was fixed by Redmond in November 2021.

The chain of infections, in this case, involved the user visiting a malicious URL, which then posted the PDF file rigged with this spyware.

The Files package, the third framework, contains a Firefox exploit chain for Windows and Linux that exploits a use-after-free flaw in the browser reported in March 2022 (CVE-2022-26485); it is suspected that the bug has probably been abused since at least 2019.

Google TAG said it became aware of the Heliconia spyware attack framework after receiving an anonymous submission to its Chrome bug reporting program; he also disclosed that there is currently no evidence of such exploitation of the security hole, indicating that the toolset has been put to “sleep” or perhaps on the contrary has further evolved.

The development comes more than five months after the tech giant’s cybersecurity division linked a previously undiscovered Android mobile spyware dubbed Hermit to an Italian software company called RCS Lab.

“The growth of the spyware industry puts users at risk and makes the Internet less secure, and while surveillance technology may be legal under national or international law, it is often used in malicious ways to conduct digital espionage against a variety of groups“, concluded the researchers.