A popular Barcelona-based spyware seller, Variston IT, has reportedly been exploiting the internet browser while posing as a specialized cybersecurity solutions provider. Google’s Threat Analysis Group (TAG) disclosed the threat actor’s campaign on November 30th and reported that the threat actor is selling spyware to exploit n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender.
The report was shared by an anonymous user, who submitted it to Chrome’s bug reporting program, bringing spyware sellers to their attention. As per reports, the threat actor was posting as a legit cybersecurity solutions provider and was using Heliconia, an exploitation framework, to remotely install the spyware on the victim’s devices. Heliconia’s exploitation framework can run three different exploitation frameworks, making it more cunning than regular spyware.
Google’s Threat Analysis Group (TAG) on Variston IT
With its three separate exploitation frameworks, Heliconia Noise, Heliconia Soft, and Files, Heliconia can compromise the “Chrome renderer bug,” allowing it to escape the app’s sandbox and execute the malware on the operating system. The spyware can also distribute Windows Defender exploits using malicious PDF documents to bypass Windows built-in antivirus engine. The spyware’s last area of expertise includes compromising Windows and Linux-based machines utilizing a set of Firefox exploits.
The search engine giant observed that the spyware seller is using Heliconia on some versions of Firefox, including versions 64 to 68. However, web browsers continuously received new security updates, and Google, Microsoft, and Mozilla have already fixed many of the vulnerabilities throughout 2021 and early 2022.
Variston IT, though involved in selling spyware on dark web forums, does not indulge in active exploitation as it is believed that the vulnerabilities were exploited before companies released new patches for their respective web browsers. Spyware is one of the most destructive forms of hacking as it collects confidential information from its targets, which in most cases, are large corporations, government entities, and communities.
It is, in the end, a type of malware, capable of silently co-existing within resources on the target systems and can maintain its camouflage to hide for years. It infiltrates the device, obtains sensitive information and internet usage statistics, and then sends it to advertising, data firms, or other users.
Google has advised users to keep their web browsers, including Google Chrome and Firefox, up-to-date with the latest security patches from the companies and protect their data against Heliconia.